technicalguideHR Tech

File uploads in an HRIS: a practical security guide

Name: CleanIssue
Price range: €€

Published on 2026-06-028 min readCleanIssue

Why uploads are critical in HR SaaS

An HRIS or payroll system handles a lot of files:

Payslips (PDF)

Employment contracts

ID documents (for employee records)

CVs and cover letters (for recruiting)

Sick notes, certificates

DSN exports, payment files

Each of these files is a potential entry point if the upload isn't properly secured.

Classic attacks

Code execution

The attacker uploads a PHP file, a JSP file, or a script disguised as an image. If the server executes it, the attacker takes control. This is basic, but we still find it on production applications.

Stored XSS via SVG

An SVG file can contain JavaScript. If your application displays an uploaded SVG in another user's browser, the script executes in their context — session theft, data exfiltration.

Path traversal

The attacker manipulates the filename to overwrite system files: ../../../etc/passwd or ../../config/database.yml. If your backend uses the filename as-is, it's exploitable.

Denial of service

Uploading a 10 GB file when no limit is configured. Or uploading a zip bomb (a compressed file of a few KB that decompresses into several GB).

The security guide

1. Validate MIME type server-side

Don't trust the extension. Check the actual file content (magic bytes). A .jpg file that starts with <?php is not an image.

2. Always rename

Never keep the original filename. Generate a UUID and store the original name in the database, separately.

3. Store outside the webroot

Uploaded files should never be served directly by the web server. Store them on an external service (S3, GCS, Supabase Storage) and serve them via signed URLs with expiration.

4. Limit file size

Configure a size limit at:

Nginx/Apache (client_max_body_size)

Your framework (bodyParser limit)

Your storage (max file size policy)

5. Scan files

For applications handling sensitive data (payroll, HR), antivirus scanning on uploaded files is recommended. ClamAV is open source and integrates easily.

6. Control access

Each file must be associated with an organization. The download URL must verify the user has the right to access the file. Non-expiring public URLs are prohibited.

7. Log everything

Who uploaded what, when, from which IP. In case of an incident, these logs are essential.

What CleanIssue checks

During a Full Audit, we systematically test upload features: accepted file types, behavior with malicious files, cross-organization access, download URLs. It's one of the most frequently exploitable vectors in the HR SaaS products we audit.

Go further

Explore the HR Tech page

The CleanIssue overview for HR, payroll, and recruiting software.

See the External Review

The fastest format to clarify the real exposure of an HR product.

Three adjacent analyses to keep exploring the same attack surface.

guideHR Tech

MFA in HR SaaS: why 62% of French vendors still don't offer it

Multi-factor authentication is a standard. Yet the majority of French HR SaaS products don't offer it to their users. Analysis of barriers and solutions.

2026-06-04 · 6 min read

guidetechnical