I am using a web service (call it X) which allows files to be uploaded to AWS S3.
The way it works is that an initial call is made to X which then returns a list of file descriptors and also meta information which should be injected into the web form as hidden fields that the user is presented with to choose a file to upload. One of these hidden fields is the url of the S3 bucket where the file will be uploaded to.
When the user chooses a file and clicks submit the file is sent as byte streams to the S3 location.
I see two security concerns here:
Is this paranoia or actual real security concerns?
if the security measures were taken in both client side and server side there shouldn't be any problem. all web services should implement these things:
so if you are using third party service just check it's documentation or ask directly from its developers.
please note that setting a filed hidden in the form is not a security measure, it is just for UI so the user don't see unnecessary input field when entering data.
Answered by Soheil on December 7, 2020
actual real security concerns?
This depends on whether or not the application is properly secured.
When all of the above is true, and/or set up correctly, I don't see why this shouldn't be less or more secure than having the url already pre-set in the web application.
It would be preferable if service X was under the same control of the owner of the web application itself, since things like "trustworthyness" may change over time.
Just make sure that the application doesn't allow arbitrary upload urls for assets. I've seen that before, that webpage APIs allowed the user to specify the upload-url path, making it possible to create signed upload- and even download-links.
Answered by Martin Fürholz on December 7, 2020
Get help from others!