Authorized users with unregulated File upload and download access.
Hi all. The application in question recently went through a security analysis and it was discovered that an user can upload and download files via the /file request handler. This can potentially expose the application to some malicious code uploaded via this endpoint. So my question is how do I implement restrictions to prevent this.
The entity that hold the documents in your model should always inherit from filedocuments. You should prohibit in the access rules that the user can create new items. Then when uploading documents do always that first in a temp object. Then you can do virus checks on that document with a third party API. When all is wel you then copy the file over to the end location with a microflow.