5 Comments
Jan 5, 2023Liked by Stephen Rees-Carter

How likely is the risk of someone listing or indexing the files? Since a signed URL can't be revoked (without rotating the app key), isn't using that vs. a long randomly generated filename (that can be changed when needed) quite equivalent from a security perspective? As you mention, the performance aspect can be important and loading files via Laravel (rather than something like nginx), could even add a DOS-vector.

Signed URLs with expiration time definitely add to security, but that could be used even if the files are placed in the public folder. Of course, I also assume the aspect of executing uploaded files as code (e.g. uploading php files) is taken care of.

And just to be clear, I'd recommend not using the local driver at all, and instead use a third party file storage solution as mentioned in the article.

Expand full comment
Jan 1, 2023Liked by Stephen Rees-Carter

Thanks for this post Stephen, really helpful !

I did something similar. However, I needed to display the user uploaded images to the user who uploaded them only. So here is how I approached it:

1) Created a storage disk outside of the public folder, and a standard crud controller methods for the user to upload one image to that disk.

2) Created a route that hits a controller action, to show the image

3) used this route in the src attribute of the image tag

4) Protected the route with auth middleware

5) in the controller method, placed a guard clause that checks the authenticated username against the username that is passed in as a route parameter

6) if the check fails then it aborts with a 404

7) if passes then returns the image as a response

Here is a gist:

https://gist.github.com/colbyalbo/27153a3ce0f8b1582fae8d2ca1811e8a

This definitely has a performance hit, but this will page will be accessed infrequently, and will only allow them to have one secure image at a time; I did experiment with allowing the user to upload 10 images. And When I viewed the screen that loads all of the images, the performance hit was definitely noticeable. So, my solution wouldn't be good for multiple images.

Happy New Years & Thanks!

Expand full comment