I am using a web service (call it X) which allows files to be uploaded to AWS S3.
The way it works is that an initial call is made to X which then returns a list of file descriptors and also meta information which should be injected into the web form as hidden fields that the user is presented with to choose a file to upload. One of these hidden fields is the url of the S3 bucket where the file will be uploaded to.
When the user chooses a file and clicks submit the file is sent as byte streams to the S3 location.
I see two security concerns here:
Is this paranoia or actual real security concerns?
if the security measures were taken in both client side and server side there shouldn't be any problem. all web services should implement these things:
so if you are using third party service just check it's documentation or ask directly from its developers.
please note that setting a filed hidden in the form is not a security measure, it is just for UI so the user don't see unnecessary input field when entering data.
Answered by Soheil on December 7, 2020
actual real security concerns?
This depends on whether or not the application is properly secured.
When all of the above is true, and/or set up correctly, I don't see why this shouldn't be less or more secure than having the url already pre-set in the web application.
It would be preferable if service X was under the same control of the owner of the web application itself, since things like "trustworthyness" may change over time.
Just make sure that the application doesn't allow arbitrary upload urls for assets. I've seen that before, that webpage APIs allowed the user to specify the upload-url path, making it possible to create signed upload- and even download-links.
Answered by Martin Fürholz on December 7, 2020
4 Asked on December 6, 2020 by tjclk
1 Asked on December 2, 2020 by user182663
1 Asked on December 1, 2020 by bob
2 Asked on December 1, 2020 by cpp_enthusiast
1 Asked on November 30, 2020
1 Asked on November 29, 2020
1 Asked on November 28, 2020 by piece0fshite
1 Asked on November 4, 2020 by aventinus
1 Asked on October 29, 2020 by harrison-lucas
1 Asked on October 25, 2020 by cromwell-rosalin
1 Asked on October 16, 2020 by python
1 Asked on October 12, 2020 by safwan
8 Asked on September 10, 2020 by ra828
1 Asked on September 1, 2020 by alexis-wilke
2 Asked on August 18, 2020 by robin-xing
1 Asked on August 10, 2020 by george
Get help from others!