Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I can totally understand the reason, you assume that the data being sent to the API is invalid in some form so you verify it again on the server.
You have to assume that your user doesn't understand most file types or what they mean, so depending on the user to get the right file type is not a good thing. Otherwise your just creating a classic garbage in, garbage out scenario.
For example, have a non-technical person explain the difference between .doc and .docx file types. -
@TestInProd423 the filetype parameter is optional. If it's not supplied, slack determines it automatically. And if you explicitly specify a filetype - slack apparently still sometimes tries to guess the file type itself.
Does that still make sense? Giving user an ability to optionally specify a file type and disregard what the user specifies there anyway? It doesn't for me -
That's reasonably too as the user might be saying the file is a picture but it's a malicious PHP shell instead (just an example). Ensuring the uploaded file type is correct is important to prevent undesired garbage/threats in...
Edit: also, they don't need to open your files, there are many ways (standard ones) in which they can just read some bytes and guess the file type... -
@realngnx there are. But either these tools fail at distinguishing a csv from a python file, or they have an in-house soln that fails so
-
@realngnx I doubt Slack fails to upload an invalid/malicious .jpg file... I sure should give it a try tomorrow
Edit: using libmagic et al does not eliminate threats
Found this in our codebase, apparently one of my co-workers had written this
The fun with the Slack continues (context: https://devrant.com/rants/5552410/...).
I got in touch with their support (VERY pleasant experience!). Turns out, even though I specify a `filetype` when uploading a file via Slack's API, Slack ignores it and still scans the payload and tries to determine its type itself. They say Slack needs to be absolutely certain that the file will be readable within Slack.
IDK about you, but that raises some flags for me. I again have that itch to password-zip all the files I'm sending over.
I've raised this concern to the support rep. Waiting for his comments.
random
privacy?
slack
wtf