The fun with the Slack continues (context: https://devrant.com/rants/5552410/...).

I got in touch with their support (VERY pleasant experience!). Turns out, even though I specify a `filetype` when uploading a file via Slack's API, Slack ignores it and still scans the payload and tries to determine its type itself. They say Slack needs to be absolutely certain that the file will be readable within Slack.

IDK about you, but that raises some flags for me. I again have that itch to password-zip all the files I'm sending over.

I've raised this concern to the support rep. Waiting for his comments.

  • 0
    I can totally understand the reason, you assume that the data being sent to the API is invalid in some form so you verify it again on the server.

    You have to assume that your user doesn't understand most file types or what they mean, so depending on the user to get the right file type is not a good thing. Otherwise your just creating a classic garbage in, garbage out scenario.

    For example, have a non-technical person explain the difference between .doc and .docx file types.
  • 2
    @TestInProd423 the filetype parameter is optional. If it's not supplied, slack determines it automatically. And if you explicitly specify a filetype - slack apparently still sometimes tries to guess the file type itself.

    Does that still make sense? Giving user an ability to optionally specify a file type and disregard what the user specifies there anyway? It doesn't for me
  • 2
    That's reasonably too as the user might be saying the file is a picture but it's a malicious PHP shell instead (just an example). Ensuring the uploaded file type is correct is important to prevent undesired garbage/threats in...

    Edit: also, they don't need to open your files, there are many ways (standard ones) in which they can just read some bytes and guess the file type...
  • 0
    @realngnx there are. But either these tools fail at distinguishing a csv from a python file, or they have an in-house soln that fails so
  • 0
    @realngnx I doubt Slack fails to upload an invalid/malicious .jpg file... I sure should give it a try tomorrow

    Edit: using libmagic et al does not eliminate threats
  • 0
    Wowzer we really do suck at producing
Add Comment