Security: Restrict direct attachment access and upload file types #681
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anonymoususer72041
force-pushed
the
security/attachments-access-and-upload
branch
from
87603db to
215e59c
Compare
anonymoususer72041
added a commit
to anonymoususer72041/OpenCATS
that referenced
this pull request
Dec 11, 2025
…ypes opencats#681 commit 215e59c Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Mon Dec 8 11:25:49 2025 +0100 Avoid static FileUtility access in attachment upload validation commit 0b489bb Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Mon Dec 8 09:15:25 2025 +0100 Add server-side whitelist for allowed attachment upload types commit de5c781 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Mon Dec 8 09:02:18 2025 +0100 Deny direct HTTP access to attachments and require download via UI
This reverts commit 215e59c.
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This pull request strengthens the security of attachment handling in two ways.
First, it hardens the
attachments/directory by denying all direct HTTP access via.htaccess, ensuring that attachments can only be served through the application layer (AttachmentsUI) where authentication and authorization checks already exist.Second, it introduces a server-side whitelist of allowed file extensions in
AttachmentCreator::createFromUpload(), so only a predefined set of document and image formats can be uploaded.Among other things this removes
htmlfrom the allowed types, reducing the risk of serving active content while still supporting common recruitment-related file formats.Motivation
Securing access to stored attachments
Before this change, files stored under
attachments/were effectively accessible by direct URL for specific extensions, which meant that knowledge of the path alone was sufficient to download them without going through OpenCATS authentication.While the paths are not trivial to guess, this does not align with the principle of defense in depth. By denying all direct HTTP access to
attachments/and relying exclusively onAttachmentsUI::getAttachment()for downloads, we ensure that attachment access always goes through the existing authentication and authorization checks, and we decouple security from any URL obfuscation details.Restricting allowed upload types
Previously there was no server-side restriction on which file types could be uploaded. Any extension that passed the basic size and upload error checks was accepted. This increased the risk of storing and potentially serving file types that are unnecessary for typical recruiting workflows and could introduce security issues, especially when rendered inline by the browser. Introducing a server-side whitelist based on common document and image formats narrows the attack surface and prevents the upload of unexpected or potentially dangerous file types.
Removing
htmlfrom the allowed types explicitly addresses the risk of stored cross-site scripting (XSS), where uploaded HTML could be served inline and executed under the same origin as OpenCATS, allowing untrusted scripts to run in the user's session.