strategies for securing attachment files from unwanted access

Hi,

we are developing an app for a company and their data has to be
private. There will be different stakeholders with different roles
accesing the application and there will be lots of attachments.

We are using paperclip to upload attachments, which are stored in the
filesystem within the public directory.

Right now, the image_tags are only rendered if you are logged in and
your role allows you to, but you can copy the URL and access the image
any time, even without logging in, because the images are served
directly and there is no controller involved. Also the URLs of images
are pretty simple like "APP_PATH/attachments/8/report.pdf" or
something like that, which makes it easy to guess other file URLs.

So, what can you do to protect people form accessing file they should
not? I have compiled a list of possible strategies we have thought
about or read about on the internet:

1. Generate random names for directories and put the files inside.
Regenerate the random directory names periodically, so attachments are
harder to hit by trying randomly and the URLs have an expiry date/
time. Seems a bit messy, IMHO.

2. Store attachments outside of public and serve them using a
controller and send_file. I think this works for download links but
what about embedding images?

3. Store attachments in DB? Similar to the previous, i guess you would
need a controller to serve the files.

Any suggestions? Any experiences, good or bad?

Cheers!

That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
send the file, rather than funnelling it through ruby. All your rails
controller does (assuming the person is authorized) is set a header
in the response saying 'send them this file')

Fred

There shouldn't be any reason that you can't get this to work for images.

One of the other possible approaches, if it suits, is to server the images from Amazon S3. This allows you to generate an expiring URL for downloading the image.

-Matt

That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
send the file, rather than funnelling it through ruby. All your rails
controller does (assuming the person is authorized) is set a header
in the response saying 'send them this file')

How does X-Sendfile behave when turned on and using mongrel for
development on the local machine?
Will mongrel serve the file or not?
Maybe it makes sense to turn X-Sendfile off in config/environments/
development.rb to have mongrel serve the files when developing?

That but use X-Sendfile or X-accel-redirect: this makes apache/nginx
send the file, rather than funnelling it through ruby. All your rails
controller does (assuming the person is authorized) is set a header
in the response saying 'send them this file')

How does X-Sendfile behave when turned on and using mongrel for
development on the local machine?
Will mongrel serve the file or not?

Mongrel will ignore that. Personally I run via apache in development, so it all works as in production

Maybe it makes sense to turn X-Sendfile off in config/environments/
development.rb to have mongrel serve the files when developing?

Sounds reasonable if it doesn't match your development setup.