nhost/hasura-storage

how to do virus scan on uploaded files

mostafashr opened this issue · 2 comments

Is it possible to do virus scan on uploaded files in hasura storage?
all files in our case is image and I wonder whether it is possible for anyone to inject a virus in the files stored and make a problem for other users and our server? any user can see other users' images in our use case.
Is it possible to only allow image upload in the Hasura storage API?

Is it possible to do virus scan on uploaded files in hasura storage?

not natively but you could set an event trigger that calls a serverless function that performs the antivirus check

I wonder whether it is possible for anyone to inject a virus

to the best of my knowledge a virus could be stored in an image but it shouldn't be possible to execute it (unless the user opened the image with a malicious image viewer, but then, the user is already infected). There are buffer overflow type of attacks that may cause some problems but modern image viewers should have protections against those. When it comes to images in particular you are not more exposed downloading images from a website than you'd be from your messenger, whatsapp, imessage, etc... Unless you expect to have very high profile users (in which case I'd suggest you to talk with a security expert) I'd consider this to be a very low risk issue.

P:S: I am not a security expert and I'd advise against treating this as a security assessment, recommendation or advise, these are just my own thoughts.

Is it possible to only allow image upload in the Hasura storage API?

Not right now but it shouldn't be too difficult to allow you to do a custom check on UPDATE that only allows the mime_types you want, for instance:

{"_or":[{"mime_type":{"_eq":"image/jpg"}},{"mime_type":{"_eq":"image/png"}}]}

thanks for the fast response.