Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

File repository in ruby on rails

Tags:

file

repository

ruby

ruby-on-rails

I would like to create a simple file repository in Ruby on Rails. Users have their accounts, and after one logs in they can upload a file or download files previously uploaded.

The issue here is the security. Files should be safe and not available to anyone but the owners.

  1. Where, in which folder, should I store the files, to make them as safe as possible?
  2. Does it make sense, to rename the uploaded files, store the names in a database and restore them when needed? This might help avoid name conflicts, though I'm not sure if it's a good idea.
  3. Should the files be stored all in one folder, or should they be somewhat divided?
like image 736
Andrzej Gis Avatar asked Dec 09 '25 10:12

Andrzej Gis

2 Answers

  • rename the files, for one reason, because you have no way to know if today's file "test" is supposed to replace last week's "test" or not (perhaps the user had them in different directories)
  • give each user their own directory, this prevents performance problems and makes it easy to migrate, archive, or delete a single user
  • put metadata in the database and files in the file system
  • look out for code injection via file name
like image 117
DigitalRoss Avatar answered Dec 12 '25 03:12

DigitalRoss

This is an interesting question. Depending on the level of security you want to apply I would recommend the following:

  1. Choose a folder that is only accessible by your app server (if you chose to store in the FS)

  2. I would always recommend to rename the files to a random generated hash (or incremntally generated name like used in URL shorteners, see the open source implementation of rubyurl). However, I wouldn't store them in a database because filesystems are built for handling files, so let it do the job. You should store the meta data in the database to be able to set the right file name when the user downloads the file.

  3. You should partition the files among multiple folders. This gives you multiple advantages. First, filesystems are not built to handle millions of files in a single folder. If you have operations that try to get all files from a folder this takes significantly more time. If you obfuscate the original file name you could create one directory for each letter in the filename and would get a fairly good distributed number of files per directory.

One last thing to consider is the possible collision of file names. A user should not be able to guess a filename from another user. So you might need some additional checks here.

Depending on the level of security you want to achieve you can apply more and more patterns.

like image 30
grundprinzip Avatar answered Dec 12 '25 02:12

grundprinzip
Sign in to Comment

Related questions

How do I encode the & symbol for batch requests?
Selecting unique rows when doing a join
Start up required additional services (resque, redis) with `rails server` command
Facebook login callback hash documentation
Why do you have to use fetch for Rails params?
Rails 6 Nginx reverse proxy: problem serving static files
Rails OR Query with JOIN and LIKE

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!