Unrestricted File Upload


It was observed the application allows users to upload files and was discovered to have insufficient safeguards to ensure the uploaded file is not malicious. Malicious files that are uploaded could have a wide range of effects depending on the affected application such as storing malware or gaining access via command execution.

Understand from this documentation clamav integration via the marketplace, but since we are on air-gapped, is there any other possible way?

Any help would be appreciated!

Steps to reproduce:

    1. Login as any user to the application at a self-hosted URL.
    1. Start a conversation with any user by using the search function (Magnifying glass icon in on the top left) and selecting any other user.
    1. Select the “Upload File” button (Paperclip icon) just below the message box.
    1. Select any file to upload and click “Send”.
    1. Observe that a HTML containing an XSS payload and an EICAR file could be successfully uploaded and downloaded by users.

Server Setup Information

  • Version of Rocket.Chat Server: v6.9.2
  • Operating System: Linux System
  • Deployment Method: Docker
  • Number of Running Instances: 1 Server & 1 Database instance
  • NodeJS Version: 14.21.3
  • MongoDB Version: 6.0.15

Any additional Information

Things to note:

  • We are running rocketchat integration with LDAP
  • We are running a community version
  • We are on an air-gapped controlled server

I think you ought to read here.

Also check “Blocked” and “Accepted media types” in Settings, File Upload.

If you are paranoid either disable uploads - the only really acceptable solution - or limit them.

If you are air gapped, but users can still upload files, you might have to ask yourself what are trying to protect?

I think apps need online access for install.

Search here for ‘offline apps’ or similar.



You might also consider using a local file store (you should not be using GridFS for production) and you can then run a local AV scanner on it?