-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about security #119
Comments
AWS will not verify the sanity of the file contents and whether it matches the content-type. However it will ensure that the content-type sent in the header is one of the given mime-types. So if the client uploads something that is not an image with a spoofed content-type, then the browser will see it as a broken image. Normally this is not a security issue unless there is a bug in the client browser that allows some sort of buffer overflow exploit or something. Technically that would be security issue, not with your app or this package, but with the browser. However if you really would like to protect users from these kind of exploits, I suggest that you do some sort of image validation on AWS Lambda. |
Great package! But I have one question:
How secure this package?
We declare this fileResctrictions:
Is it possible for a user to upload some garbage that wouldn't be an image?
Because I'm using returned link and assign it to user avatar field. I'm scared that somebody will make "broken image" just for fun. Is it possible? Or amazon somehow will restrict anything that is not image (even if it has image extension)? Thanks!
The text was updated successfully, but these errors were encountered: