Member-only story
What happens when I upload a file on Streamlit?
Unpacking ‘security’ of uploads on non-persistent platforms
There are a more deployments on Streamlit and rightly so, more individuals concerned with ‘security’ risks of uploaded files.
This speed writing piece will explain it in the context of Streamlit, extrapolate to other similar implementations using basic HTML/JavaScript for “data apps” without a backend. Finally, it will end with addressing some possible security risks and why it can be largely mitigated.
This article also assumes that these ‘web-apps’ has no backend and is really just a data processing tool.
Streamlit’s handling of uploaded files
1 Uploaded file is temporary
Streamlit’s st.file_upload function handles the uploaded file as an in-memory object using a Python BytesIO or StringIO object. By default it is up to 200MB but the limit can be increased via config.toml.
The file only exists in memory during the session and is accessible through the variable assigned to st.file_uploader().
