Nucleus File Integrity Checker Middleware is always enabled, and performs validation steps on all uploaded files, whether they are submitted using core/administration functions, or by extensions.
The File Integrity Checker Middleware:
Nucleus configures ASP.NET core routing to allow static file downloads from within specifically allowed locations only. The approved locations (sub-folders) are: Resources, Extensions, Areas and Shared. When a local file system provider is used to provide a link to a file stored by Nucleus, it is served using the /files endpoint, rather than as a link to the actual disk location of the file. Remote file system providers (like Azure Blob Storage) should be configured with public access disabled, Nucleus uses Azure Blob Storage Shared Access Signature (SAS) tokens to provide access to files hosted with Azure Blob Storage.
Static files with file types which are not approved can't be downloaded from any location, even if they have been copied to the file system manually.
When the local file system is used, files are stored in a separate folder location, rather than a location within the application folder.
Web server administrators should still take care when configuring web server settings and file system permissions, and you should run a virus scanner on your web server.