Forum: Ruby on Rails strategies for securing attachment files from unwanted access

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
apm (Guest)
on 2009-04-07 19:44
(Received via mailing list)
Hi,

we are developing an app for a company and their data has to be
private. There will be different stakeholders with different roles
accesing the application and there will be lots of attachments.

We are using paperclip to upload attachments, which are stored in the
filesystem within the public directory.

Right now, the image_tags are only rendered if you are logged in and
your role allows you to, but you can copy the URL and access the image
any time, even without logging in, because the images are served
directly and there is no controller involved. Also the URLs of images
are pretty simple like "APP_PATH/attachments/8/report.pdf" or
something like that, which makes it easy to guess other file URLs.

So, what can you do to protect people form accessing file they should
not? I have compiled a list of possible strategies we have thought
about or read about on the internet:

1. Generate random names for directories and put the files inside.
Regenerate the random directory names periodically, so attachments are
harder to hit by trying randomly and the URLs have an expiry date/
time. Seems a bit messy, IMHO.

2. Store attachments outside of public and serve them using a
controller and send_file. I think this works for download links but
what about embedding images?

3. Store attachments in DB? Similar to the previous, i guess you would
need a controller to serve the files.

Any suggestions? Any experiences, good or bad?

Cheers!
Frederick C. (Guest)
on 2009-04-07 19:55
(Received via mailing list)
On Apr 7, 4:43 pm, apm <removed_email_address@domain.invalid> wrote:
> Hi,
>
> So, what can you do to protect people form accessing file they should
> not? I have compiled a list of possible strategies we have thought
> about or read about on the internet:
>

> 2. Store attachments outside of public and serve them using a
> controller and send_file. I think this works for download links but
> what about embedding images?
>
That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
send the file, rather than funnelling it through ruby. All your rails
controller does (assuming the person is  authorized) is set a header
in the response saying 'send them this file')

Fred
Jack B. (Guest)
on 2009-04-07 19:59
Oddly enough, I was just reading an article about how to pull this off
in Nginx right before coming here:

http://ramblingsonrails.com/how-to-protect-downloa...

To do so with Apache just use libxsendfile
Matthew MacLeod (Guest)
on 2009-04-07 20:23
(Received via mailing list)
On 7 Apr 2009, at 16:43, apm wrote:

> 2. Store attachments outside of public and serve them using a
> controller and send_file. I think this works for download links but
> what about embedding images?

There shouldn't be any reason that you can't get this to work for
images.

One of the other possible approaches, if it suits, is to server the
images from Amazon S3. This allows you to generate an expiring URL for
downloading the image.

-Matt
Alberto P. (Guest)
on 2009-04-07 20:53
(Received via mailing list)
> That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
> send the file, rather than funnelling it through ruby. All your rails
> controller does (assuming the person is  authorized) is set a header
> in the response saying 'send them this file')

How does X-Sendfile behave when turned on and using mongrel for
development on the local machine?
Will mongrel serve the file or not?
Maybe it makes sense to turn X-Sendfile off in config/environments/
development.rb to have mongrel serve the files when developing?
Frederick C. (Guest)
on 2009-04-07 21:16
(Received via mailing list)
On 7 Apr 2009, at 17:52, Alberto P. wrote:

>
>> That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
>> send the file, rather than funnelling it through ruby. All your rails
>> controller does (assuming the person is  authorized) is set a header
>> in the response saying 'send them this file')
>
> How does X-Sendfile behave when turned on and using mongrel for
> development on the local machine?
> Will mongrel serve the file or not?

Mongrel will ignore that. Personally I run via apache in development,
so it all works as in production
>
> Maybe it makes sense to turn X-Sendfile off in config/environments/
> development.rb to have mongrel serve the files when developing?

Sounds reasonable if it doesn't match your development setup.
This topic is locked and can not be replied to.