Hi,


First of we are using OS Version 11.7.3 (Build 7036) on premise with our Foritnet firewall.

We are trying to open up the possibilty for our users to upload files from our public OutSystems application to our internal very secure back office application.

We have noticed that our Traditional web uploads end up going through our virusscanner in the firewall.The reactive web uploads do not get picked up by our virus scan. I dove into the virusscanner and it does not seem to check Base64 type files. I've tried to look at the networking post in chrome see screenshots:

Traditional web

Reactive web

So now I have a load of questions because I could not find how OutSystems does an upload exactly:

  1. How does the new Reactive upload differ from the old traditional web one?
  2. Does the Reactive upload really convert binaries to JSON/Base64 and is there a way to influence this?
  3. I've come accross this post and they speak of a Base64 upload vs a Buffer upload. It seems they consider the buffer one more superior because it does not need converting. Any thoughts?

I hope someone could shine a little light on this case.


Greetings Robert



 


Well, for starters, traditional web uses a POST submit method, which is why you had to set your upload buttons to Submit, Ajax submit wouldn't work. 

In Mobile and Reactive you gotta call a server action to handle this request (as instructed here). I'm guessing internally Outsystems does this by creating a rest API to be called, and if the server action takes an input parameter of the BinaryData type, it automatically converts to base64 for the send. I can't say for sure.

You might have to modify your server action somehow?

Yes, it makes sense that it is different because it has to convert to something REST handles easier. However if I want the virus scanner to pick up potential virusses as soon as possible this mechanism is now a risk. 

After the REST call it will still be processed in the same way as the traditional one, only now it has already bypassed the first line of defense. I have no clue how to modify the server action in such a way that it is any different.

I think other OutSystems developers that are also upgrading to react should be warned that their application is not as secure as they thought they were on traditional.

Okay, well, that is a fair assesment but which kind of files are you handling that could be a potential security risk? The server just stores the binary data, as is uploaded, it will never attempt to run something, as far as I know. 

Mariano Picco wrote:

Okay, well, that is a fair assesment but which kind of files are you handling that could be a potential security risk? The server just stores the binary data, as is uploaded, it will never attempt to run something, as far as I know. 

In our case customers upload files they have filled out and send them with their customer portal to our backoffice portal where the employees open the files to review them. So the files do get opened. And I know we have more security measures in the chain, but the first link in the chain gets killed now with the react upload.


Robert Hantink wrote:

Mariano Picco wrote:

Okay, well, that is a fair assesment but which kind of files are you handling that could be a potential security risk? The server just stores the binary data, as is uploaded, it will never attempt to run something, as far as I know. 

In our case customers upload files they have filled out and send them with their customer portal to our backoffice portal where the employees open the files to review them. So the files do get opened. And I know we have more security measures in the chain, but the first link in the chain gets killed now with the react upload.



I understand, unfortunately I have no suggestions on how to force your virus scanner to intercept base64 encoded stuff. But since the files will be downloaded to other machines and locally scanned, I wouldn't worry too much about it. 

Mariano Picco wrote:

I understand, unfortunately I have no suggestions on how to force your virus scanner to intercept base64 encoded stuff. But since the files will be downloaded to other machines and locally scanned, I wouldn't worry too much about it. 

"I wouldn't worry too much about it." You haven't met our security officer. :D

But I appreciate your help so far, thank you.