Best Practices for Handling File Uploads with Oracle APEX

Introduction

File uploads are a common requirement in many applications., With Oracle APEX, implementing file uploads is very straightforward, but following best practices ensures good levels of security, performance, and user experience. This blog will cover some best practices to consider when managing file uploads in Oracle APEX and beyond.

Defence In Depth

Implementing a defence-in-depth approach is essential to secure the upload process, making it more robust and tailored to the service's needs and requirements. Utilising multiple techniques is necessary and recommended, as no single method can fully safeguard the service.

Starting with the more general steps:

• Always use HTTPS to encrypt data transmitted. This helps ensure the file cannot be intercepted or altered during transit.
• Ensure the upload form meets relevant privacy and regulatory standards.
• Raise user awareness on the importance of following upload guidelines and the risks associated with downloading files, emphasising caution and the use of malware scanners.
• Securing file storage is just as crucial as ensuring safe uploads and handling. Implementing proper storage practices helps prevent unauthorised access and potential data breaches.
• Implementing a zero-trust architecture is a security model that operates on the principle that no user or file should be inherently trusted. File permissions should follow the principle of least privilege, ensuring that only authorised users have the ability to read the files.

Oracle APEX File Upload Item

The Oracle APEX File upload item has a few ways to put in place some safeguarding when allowing users to upload files through your application:

• The file types setting under storage can validate file types through standard APEX validation when the page is submitted. The allowed file types are set by a comma-delimited list. I find it easiest to set and track the allowed types via an application/page item and substitute this here.

• The Maximum File Size setting is particularly useful in preventing large file sizes from being uploaded, helping to safeguard system performance and prevent abuse of the APEX file storage functionality.

• If you use the APEX_APPLICATION_TEMP_FILES table to store files before processing, Oracle APEX can be configured to purge the file at the end of the session/request, depending on what you want.
• It is highly recommended to keep comprehensive logs of all file upload activities, documenting the user who uploaded the file, the file type, size, and timestamp. These logs are essential for troubleshooting and auditing and can be done easily with APEX under the settings or using the data populated into the temporary files table.
• Oracle APEX Image Upload Item can also be used for uploading files and has comparable properties to the file upload item mentioned above to aid with validating file uploads.

Instance Level - Controlling file uploads

After logging into the administration services for your APEX instance and selecting 'manage instance', in 'security' under the 'instance settings' section, selecting 'no' on the below setting will prevent unauthenticated users from uploading files in applications that provide file upload controls:

From the Oracle APEX builders guide, it is also worth noting it is recommended that files are uploaded directly to a table in your workspace schema or, if you need programmatic access, uploaded to APEX_APPLICATION_TEMP_FILES rather than stored in the application files table. Also, while files uploaded and stored in the Oracle database via APEX are stored as LOBs in database tables and cannot be executed on their own, the real risk arises when these files are made accessible for opening. It is essential to implement measures to prevent unauthorised access and potential execution of malicious files.

File Names

Following OWASP's advice, it is advised to only allow acceptable characters for the file name. Simple characters such as letters, digits, underscores, hyphens, spaces, and periods can be included in your basic whitelist.

Depending on how your file model works, you could implement functionality to store the files using a random string or a timestamp, which can help ensure that each file name is unique and not easily guessable, giving you control to prevent malicious file names from being stored in the system. Alternatively, you can sanitise file names by removing or replacing harmful characters, ensuring that the name does not affect your server's file system or web application.

File Types

Please be aware that blocking specific extensions is a weak protection method on its own, especially with unauthorised file uploads. Following OWASP guidelines, "only allow safe and critical extensions for business functionality. Based on the needs of the application, ensure the least harmful and the lowest risk file types to be used".

For file types:

• The MIME type can be checked as a quick method of defence using an allowlist approach. This file attribute is automatically monitored by the
• Oracle APEX upload items.
• ZIP files are not recommended.

Application Performance

If your application manages a high volume of file uploads, consider the following:

• Utilising APEX's support for RESTful web services to upload files to external storage solutions.
• Additionally, if available, the application should establish appropriate request limits for the download service.

Validate File Content

Scanning for malware adds an additional layer of protection, catching malicious files that might slip through the initial validation checks. The implementation of this protective measure will differ for each environment, but below are some starting points:

• Have a malware scanner installed on the operating system of the server where your applications run, as this can help identify potential issues.
• Make use of 3rd party file-scanning services that provide APIs for scanning files
• Along with the benefits of scaling and reducing database size, storing files on cloud services has its advantages. For example, with Oracle Cloud Storage, you can implement additional security rules. You can create actions for different scenarios, such as file creation in one of your buckets, which can include scanning the file for any malicious content.
• As part of Oracle REST Data Services Release 21.1, ORDS can be configured to integrate with an ICAP server for virus scans. APEX uses ORDS PL/SQL gateway. Once configured, this ICAP integration is also applied to file uploads in APEX.

Summary

Along with all the above tips, it is essential to ensure compliance with local laws and regulations regarding data storage. It is also strongly recommended when managing files to have a secure backup plan in place. Implementing file uploads in Oracle APEX is made simple for developers and app users and is highly configurable, but it can open the door to security complexities. By adhering to best practices, you can develop a secure, efficient, and user-friendly file upload experience. A lot of influence for this post was taken from the OWASP file upload cheat sheet, which provides further information on the best file upload practices.

For more information, check out our Oracle APEX Services, and if you liked this blog, check out our other APEX blogs here.

Subscribe to Oracle APEX Insights if you want to stay tuned for more APEX updates.