My streamlit application has a csv upload functionality that reads the file and saves its contents to a database table. I use streamlit’s st.file_uploader, which sends a POST request to /_stcore/upload_file in the background. Our upload feature is used to read csv file, the files are just loading into memory and not being saved.
In the front-end I can restrict other file types from upload by specifying the type on st.file_uploader and which works fine.
However, this filetype verification measure was found to be implemented only on the client side. It will therefore possible to bypass this control and upload files that could contain malware or be used to mount further attacks. That means, someone can send POST request used to upload files directly to the application without use of a web browser. This bypass method can be used to upload Windows executable files using the below POST request
POST /_stcore/upload_file HTTP/1.1
This request will return HTTP 200, indicating that the file upload was successful. This response had the same format as when a valid CSV file was uploaded.
So my question is, does it cause any security vulnerabilities, and if so, how can we prevent them? Could anyone suggest solutions/hacks for this security vulnerability?