Any general advice on making sure a nefarious actor can't (easily) mess with our Shiny app via the upload widget?
We're building a Shiny web app hosted on shinyapps.io that will be public facing and are worried about the possibility of viruses in uploaded files or DOS attacks, given what we've read about similar upload security issues for Wordpress sites. Our app will need to accept fairly large .zip files (up to 100 MB, usually more than 10 MB).
So far we've considered a few things:
- Restrict types of uploads (unfortunately, we're looking for .zip files, which leaves lots of room for trouble)
- Use wand to check file types after unzipping ('good' zip files submitted to our site will only have csv tables)
- Requiring a form entry before upload to collect contact info, some sort of CAPTCA system, or email confirmation process.
[Note that we read the SQL injection page on the Shiny site, but it doesn't apply to this app]
Any ideas/info on:
- Things shiny or shinyapps.io is doing behind the scenes to keep our site safe, such that we shouldn't worry about this?
- Other R packages or systems out there we could use to conduct actual virus checks?
- Implementing a CAPTCHA-style system or email confirmation process through Shiny?
Many thanks in advance!
Hi,
Very interesting topic. I'd love to hear what some of the experts on here would have to say on this!
The only thing I can come up with at the moment is using a virus scan API like this one for example. You can have the files checked by the API before you use them. I have never tried this, but might be worth looking into... Of course you'll have to pay as soon as you have a fancy API or many calls / month.
PJ
1 Like
Ooh, clever idea, hadn't thought of using an API for a virus scan! Will check that out -- hopefully the API requests won't slow the app's processing steps down too much, but I think we could work around that.
Yes, any other thoughts from the community on bulletproofing (or trying to... ) a Shiny app around uploads would be great!
Just out of curiosity, if you are deploying to shinyapps.io and not to your own server, What are your concerns about viruses on the uploads? Since their servers are professionally managed I would bet they have counter messures for this kind of situation.
I agree with @andresrcs that the security would only be an issue on shinyapps.io if the data you're collecting is somehow sensitive. In that case a public service like that would not be the best for hosting your files as you have no control over their servers and I'm sure from a legal standpoint they are not liable if the data gets stolen somehow.
Otherwise, I think it's indeed very likely they have measures in place. And remember Shiny was primarily developed to give people easy, interactive access to R output, and not to be a secure and guarded system.
PJ
All good points! At the very least, I'd imagine at the very least that restarting an instance would take care of any trouble that gets started, but wasn't entirely sure. Definitely not expecting a Shiny app to be completely bulletproof, but hoping to do whatever due diligence I can here.