Hi,
While uploading the image for the user at "Profile Picture" abp uses the inbuild service "SetProfilePictureAsync" (api: api/account/profile-picture), need some information on below,
-
Are the abp doing any kind of validation, like only specific format are allowed to upload the image
-
also do abp check the file is valid/secured to proceed to store in the blob.
Thanks
3 Answer(s)
-
0
Are the abp doing any kind of validation, like only specific format are allowed to upload the image
There is no format validation in the API endpoint, but only certain types of files are allowed to be selected from the UI.
also do abp check the file is valid/secured to proceed to store in the blob.
There is no such validation, I am not sure if it is necessary. Because, for example, if a user uploads an invalid image, it only affects them. We know that this does not affect other users or cause any securrity vulnerability.
Here are the impelemtation of
SetProfilePictureAsync:[Authorize] public virtual async Task SetProfilePictureAsync(ProfilePictureInput input) { await SettingManager.SetForUserAsync(CurrentUser.GetId(), AccountSettingNames.ProfilePictureSource, input.Type.ToString()); var userIdText = CurrentUser.GetId().ToString(); if (input.Type != ProfilePictureType.Image) { if (await AccountProfilePictureContainer.ExistsAsync(userIdText)) { await AccountProfilePictureContainer.DeleteAsync(userIdText); } } else { if (input.ImageContent == null) { throw new NoImageProvidedException(); } var imageStream = input.ImageContent.GetStream(); if (ProfilePictureOptions.Value.EnableImageCompression) { try { var compressResult = await ImageCompressor.CompressAsync(imageStream); if (compressResult.Result is not null && imageStream != compressResult.Result && compressResult.Result.CanRead) { await imageStream.DisposeAsync(); imageStream = compressResult.Result; } } catch (Exception e) { Logger.LogWarning(e, "Profile picture compression failed! User ID:" + CurrentUser.GetId()); } } await AccountProfilePictureContainer.SaveAsync(userIdText, imageStream, true); } } -
0
Are the abp doing any kind of validation, like only specific format are allowed to upload the image
There is no format validation in the API endpoint, but only certain types of files are allowed to be selected from the UI.
also do abp check the file is valid/secured to proceed to store in the blob.
There is no such validation, I am not sure if it is necessary. Because, for example, if a user uploads an invalid image, it only affects them. We know that this does not affect other users or cause any securrity vulnerability.
Here are the impelemtation of
SetProfilePictureAsync:[Authorize] public virtual async Task SetProfilePictureAsync(ProfilePictureInput input) { await SettingManager.SetForUserAsync(CurrentUser.GetId(), AccountSettingNames.ProfilePictureSource, input.Type.ToString()); var userIdText = CurrentUser.GetId().ToString(); if (input.Type != ProfilePictureType.Image) { if (await AccountProfilePictureContainer.ExistsAsync(userIdText)) { await AccountProfilePictureContainer.DeleteAsync(userIdText); } } else { if (input.ImageContent == null) { throw new NoImageProvidedException(); } var imageStream = input.ImageContent.GetStream(); if (ProfilePictureOptions.Value.EnableImageCompression) { try { var compressResult = await ImageCompressor.CompressAsync(imageStream); if (compressResult.Result is not null && imageStream != compressResult.Result && compressResult.Result.CanRead) { await imageStream.DisposeAsync(); imageStream = compressResult.Result; } } catch (Exception e) { Logger.LogWarning(e, "Profile picture compression failed! User ID:" + CurrentUser.GetId()); } } await AccountProfilePictureContainer.SaveAsync(userIdText, imageStream, true); } }Hi berkansasmaz,
We have tested one scenario, where we will intercept the backend request and they are changing the file content from image to some other file like .aspx or any malware content. Will it still be able to block it.
Thanks
-
0
We have tested one scenario, where we will intercept the backend request and they are changing the file content from image to some other file like .aspx or any malware content. Will it still be able to block it.
Right now, the default implementation doesn't really check if the uploaded file is actually an image. So yeah, technically someone could upload something like a .jpg file that’s actually a renamed .aspx or some other non-image content.
That said, in most cases this isn't really a security issue — as long as:
-
The file isn’t executed or rendered by the server
-
It’s not served with an unsafe MIME type
-
And users can only access their own files
But, if you’d like to apply your own security rules or validation logic, you can override the SetProfilePictureAsync method in AccountAppService and handle the checks there.
-
