Rails - Apr 2009 - strategies for securing attachment files from unwanted access

Hi,

we are developing an app for a company and their data has to be
private. There will be different stakeholders with different roles
accesing the application and there will be lots of attachments.

We are using paperclip to upload attachments, which are stored in the
filesystem within the public directory.

Right now, the image_tags are only rendered if you are logged in and
your role allows you to, but you can copy the URL and access the image
any time, even without logging in, because the images are served
directly and there is no controller involved. Also the URLs of images
are pretty simple like "APP_PATH/attachments/8/report.pdf" or
something like that, which makes it easy to guess other file URLs.

So, what can you do to protect people form accessing file they should
not? I have compiled a list of possible strategies we have thought
about or read about on the internet:

1. Generate random names for directories and put the files inside.
Regenerate the random directory names periodically, so attachments are
harder to hit by trying randomly and the URLs have an expiry date/
time. Seems a bit messy, IMHO.

2. Store attachments outside of public and serve them using a
controller and send_file. I think this works for download links but
what about embedding images?

3. Store attachments in DB? Similar to the previous, i guess you would
need a controller to serve the files.

Any suggestions? Any experiences, good or bad?

Cheers!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Apr 7, 4:43 pm, apm
<alberto.perd...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi,
>
> So, what can you do to protect people form accessing file they should
> not? I have compiled a list of possible strategies we have thought
> about or read about on the internet:
>
> 2. Store attachments outside of public and serve them using a
> controller and send_file. I think this works for download links but
> what about embedding images?
>
That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
send the file, rather than funnelling it through ruby. All your rails
controller does (assuming the person is  authorized) is set a header
in the response saying ''send them this file'')

Fred

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Oddly enough, I was just reading an article about how to pull this off 
in Nginx right before coming here:

http://ramblingsonrails.com/how-to-protect-downloads-but-still-have-nginx-serve-the-files

To do so with Apache just use libxsendfile
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 7 Apr 2009, at 16:43, apm wrote:
> 2. Store attachments outside of public and serve them using a
> controller and send_file. I think this works for download links but
> what about embedding images?
There shouldn''t be any reason that you can''t get this to work
for
images.

One of the other possible approaches, if it suits, is to server the  
images from Amazon S3. This allows you to generate an expiring URL for  
downloading the image.

-Matt


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
> send the file, rather than funnelling it through ruby. All your rails
> controller does (assuming the person is  authorized) is set a header
> in the response saying ''send them this file'')
How does X-Sendfile behave when turned on and using mongrel for
development on the local machine?
Will mongrel serve the file or not?
Maybe it makes sense to turn X-Sendfile off in config/environments/
development.rb to have mongrel serve the files when developing?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 7 Apr 2009, at 17:52, Alberto Perdomo wrote:
>
>> That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
>> send the file, rather than funnelling it through ruby. All your rails
>> controller does (assuming the person is  authorized) is set a header
>> in the response saying ''send them this file'')
>
> How does X-Sendfile behave when turned on and using mongrel for
> development on the local machine?
> Will mongrel serve the file or not?
Mongrel will ignore that. Personally I run via apache in development,  
so it all works as in production
>
> Maybe it makes sense to turn X-Sendfile off in config/environments/
> development.rb to have mongrel serve the files when developing?
Sounds reasonable if it doesn''t match your development setup.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---