File upload security issues

[ZeroZ-lab]

Self Checks

• This is only for bug report, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

Dify version

1.1.3

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

filenames with special characters are allowed for upload, but obtaining the file extension through text splitting is insufficiently safe.

examples;

a*a.jpg
a/a.jpg
etc

✔️ Expected Behavior

No response

❌ Actual Behavior

No response

[dosubot]

The issue raised by @ZeroZ-lab highlights a potential security concern with Dify's file upload functionality, specifically regarding the handling of filenames with special characters. The concern is that obtaining the file extension through text splitting may not be sufficiently safe, especially for filenames like "a*a.jpg" or "a/a.jpg".

Currently, Dify validates file extensions against a predefined list of image extensions, but it seems there might be a need for more robust handling of filenames with special characters to ensure security ^[1].

To address this, consider implementing additional checks or sanitization processes for filenames beyond just extension validation. This could involve using more secure methods for extracting file extensions that account for special characters and potential edge cases.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}