My streamlit application has a csv upload functionality that reads the file and saves its contents to a database table. I use streamlit’s st.file_uploader, which sends a POST request to /_stcore/upload_file in the background. Our upload feature is used to read csv file, the files are just loading into memory and not being saved.

In the front-end I can restrict other file types from upload by specifying the type on st.file_uploader and which works fine.

However, this filetype verification measure was found to be implemented only on the client side. It will therefore possible to bypass this control and upload files that could contain malware or be used to mount further attacks. That means, someone can send POST request used to upload files directly to the application without use of a web browser. This bypass method can be used to upload Windows executable files using the below POST request

POST /_stcore/upload_file HTTP/1.1

This request will return HTTP 200, indicating that the file upload was successful. This response had the same format as when a valid CSV file was uploaded.

So my question is, does it cause any security vulnerabilities, and if so, how can we prevent them? Could anyone suggest solutions/hacks for this security vulnerability?

Hey @George_Mathew,

Thank you so much for sharing this issue!

I want to make sure I fully understand it: are you finding that when you restrict the filetype using st.file_uploader, users are still able to upload other filetypes by making a POST request to /_stcore/upload_file HTTP/1.1?

Yes, exactly. Users are still able to upload other filetypes by making a POST request to /_stcore/upload_file

Seems like there is no restriction on filetypes in the back-end (/_stcore/upload_file)

Thank you for the extra clarification! I’ve created a GitHub Issue so our product and engineering teams can take a look here

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.