This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 66%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi!
I have a website where on certain pages the user can (through checks in the controller method):
All image files are saved in wwwroot\Images in subfolders.
Can I somehow protect these pages from embedding malicious code, iframes, viruses, and so on?
For example, can I just somehow prevent any code from running in files in the wwwroot\Images folder?
I tried using CSP, but it's just kind of AWFUL - everything breaks and nothing works on these pages.
Who, in general, came up with this nightmare - CSP, this is some kind of mockery of common sense.
Does CKEditor protect itself from malicious content that is uploaded to the server using it?
Probably not, judging by this explanation (but this is again CSP that cannot be embedded - it creates a nuclear explosion on the pages of the site):
Content Security Policy
https://ckeditor.com/docs/ckeditor5/latest/installation/advanced/csp.html
Why do websites and interactivity in browsers are created at all, if it's all impossible to somehow protect?
So that special services, hackers and others can hack anyone at any time and take everything they need?)))
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 3%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQG%3C/text%3E%3C/svg%3E)
Hi @Volk Volk ,
To protect your ASP.NET Core application from these risks, you can implement the following security measures:1. Authentication and Authorization: Allow only authenticated users to upload files. If needed, you can restrict uploads to specific roles, such as admins or operators. 2. File Extension Validation: Verify and allow only specific file extensions. For example, you can restrict uploads to PDF and TXT files. 3. File Size Limit: Set a maximum file-size limit to prevent huge uploads that could lead to DoS attacks. 4. Randomized File Names: Generate random filenames for uploaded files before saving them to prevent overwriting existing files.
I have all this already implemented. I need to protect pages from loading in images of viruses and javascript inserts.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
for images you typically use a hardened image converter. That is you read the image, then write back out.
you just should not allow javascript. if uploaded, then to the browser its trusted because it comes from the same site.
most web site protection is focused on user hacking the code, not the site editor. this form is an example of the restrictions required to allow users to author html fragments.
As far as I understand, everything is already protected (without CSP and file restrictions in wwwroot\Images), but I have to attach (additionally) a hardened converter to upload images. Yes? Please give me a link to an example with a hardened converter for upload images (in C#)? Thanks!
As far as I understand, everything is already protected (without CSP and file restrictions in wwwroot\Images), but I have to attach (additionally) a hardened converter to upload images. Yes? Please give me a link to an example with a hardened converter for upload images (in C#)? Thanks!
Hi @Volk Volk ,
ASP.NET Core supports uploading one or more files using buffered model binding for smaller files and unbuffered streaming for larger files. You can have a look at Upload files in ASP.NET Core . Besides, you can have a look at : https://github.com/JayKrishnareddy/ScanFiles_AntiVirus ,it demonstrates a way to protect our files/documents from viruses before they got uploaded to a storage location.
Is this action somehow already protecting the server from downloading images that carry viruses or other programs?
How do I convert file to image in .NET Core? https://stackoverflow.com/questions/44242653/how-do-i-convert-file-to-image-in-net-core
or:
var image = Image.FromStream(Avatar.OpenReadStream())
Or is it desirable to additionally check the image with an antivirus?https://github.com/JayKrishnareddy/ScanFiles_AntiVirus
I connected everything in Win 10, but I don't understand why clamav in net.core doesn't work for me. What process should I run in the clamav folder so that net.core can work with it? I asked this question to the author here, but he does not answer. Maybe someone knows, tell me.
https://www.c-sharpcorner.com/article/antivirus-protection-scan-on-document-upload-in-net/
I installed clamav on Windows using clamav-1.2.1.win.x64.msi. The installer just unlocked the files to my folder C:\Program Files\ClamAV. Next, I updated the database using the freshclam command. But in Net.Core project (according to your second option without docker image) I always get an error in "catch (Exception ex)": ErrorCode = 10061, Connection failed because the destination computer rejected the connection request. How do I run clamav to Net.Core project saw it and turned to it to check the file for viruses? What am I doing wrong? Thanks!
Many thanks to everyone! I figured out how to install ClamAV. The code works, the virus scan works. The question is closed. :)