I recently noticed that the
PersistentResource table of one Neos installation conaints over 100000 rows. Some of these files contain SQL commands, which look like an attempted SQL injection. Luckily it does not work, because the SQL commands are never executed, but the files are kept anyway.
I think the reason for these files is a public form with a FileUpload field. The field has a
FileTypeValidator with some
allowedExtensions and the form also has a captcha field.
The problem is: If I select an invalid file (i.e. evil-sql.txt file, where txt is not in the list of allowed extensions) and submit the form, the file is added to the PersistentResource table and only after that validated. So if any validator adds an error (regardless if it is the captcha validator or the file validator) the file evil-sql.txt is still saved as a
I looked at the
FileTypeValidator class and I am wondering how I could avoid creating the
PersistentResources if the validation fails. Since the
isValid method already expects a
PersistentResource, I think that the
PersistentResource is already persisted before it has been validated.
Is this a “by design” issue?
Can I work around this problem?
I thought about deleting all PersistentResources which are not referenced by any Asset or Thumbnail, but what if another extension references PersistentResources? I might delete files that are still referenced (depending on the foreign key definition).