Direct to S3 with client-side validations

Question

We are using s3_file_field to upload videos directly to S3, and we are planning on using client side validations to make sure the uploads are within our size restrictions, but I'm worried that a hacker might be able to turn JS off, and upload a 500GB file to our S3 bucket.

In the past, whenever I've used client-side validations, I've also had server-side validations backing them up, so I've never been too concerned about users turning JS off, but we can't have server-side validations here as we're going directly to S3.

How easy is it for a hacker to get around client side validations? Is it just a case of turning JS off? Would it help if we disabled our upload form when JS is disabled?

Should we be implementing a worker or observer to sweep uploaded videos, and run validations on them sometime after they've been uploaded, and before they can be accessed by users?

Answer 1

There aren't any maximum file upload size constraints that you can place on an S3 bucket, per se. As far as I can find, there aren't any AWS policy provisions for that.

But S3 supports CORS, which is what s3_file_field uses to make this direct upload work. If S3 supports the content-length-range policy element of CORS, you can add that and then are probably covered.

Also s3_file_field is actually an extension of jQuery File Upload, and that has various validation options, including max_file_size as documented here. In s3_file_field the default max_file_size is 500 megabytes and it appears you can override it.

Either way, if a user disables javascript, then they won't be able to run JQuery File Upload, which means they shouldn't be able to upload anything at all via CORS.

Just make sure you specify the AllowedOrigin in production, as stated in the s3_file_field docs.

Answer 2

The client side size check can of course be overwritten. However whenever you do a straight to s3 upload there is a policy document (signed with your aws credentials) specifying what is allowed and is not allowed.

In particular you can set limits on the file size. It looks like s3_file_field sets that up properly so even if someone circumvents the client side check, s3 would reject the upload because it wouldn't match the policy.