Java-based web applications that accept file uploads must ensure that an adversary cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges. For example, an application that permits HTML files to be uploaded could allow malicious code to be executed - an executed—an attacker can submit a valid HTML file with a cross-site-scripting payload that will execute in the absence of an output-escaping routine. For this reason, many applications restrict the type of files that can be uploaded.
...
Many Java enterprise frameworks provide configuration settings intended to be used as a defense against arbitrary file upload. Unfortunately, most of them fail to provide adequate protection. Mitigation of this vulnerability involves checking file size, content type, and file contents, among other metadata attributes.
Noncompliant Code Example
This noncompliant code example shows some XML code from the upload action of a Struts 2 application. The interceptor code is responsible for allowing file uploads.
...
The value of the parameter type maximumSize ensures that a particular Action cannot receive a very large file. The allowedType parameter defines the type of files that are accepted. However, this approach fails to ensure that the uploaded file conforms to the security requirements because interceptor checks can be trivially bypassed. If an attacker were to use a proxy tool to change the content type in the raw HTTP request in transit, the framework would fail to prevent the file's upload. Consequently, an attacker could upload a malicious file having an .exe extension.
Although this code appears to violate ERR08-J. Do not catch NullPointerException or any of its ancestors, it falls under the exception ERR08-EX2.
Compliant Solution
The file upload must succeed only when the content type matches the content actually present within the file. For example, a file with an image header must contain only an image and must lack executable code. This compliant solution uses the Apache Tika library to detect and extract metadata and structured text content from documents using existing parser libraries. The checkMetaData() method must be called before invoking execute().
| Code Block | ||||
|---|---|---|---|---|
| ||||
public static boolean checkMetaData(File f, String getContentType) {
try (InputStream is = new FileInputStream(f)) {
ContentHandler contenthandler = new BodyContentHandler();
Metadata metadata = new Metadata();
metadata.set(Metadata.RESOURCE_NAME_KEY, f.getName());
Parser parser = new AutoDetectParser();
parser.parse(is, contenthandler, metadata, new ParseContext());
if (metadata.get(Metadata.CONTENT_TYPE).equalsIgnoreCase(getContentType)) {
return true;
} else {
return false;
}
} catch (IOException e) {
// handleHandle error
return false;
}
} |
The AutoDetectParser selects the best available parser based on the basis of the content type of the file to be parsed.
Applicability
An arbitrary file upload vulnerability could result in privilege escalation and execution of arbitrary code.
Bibliography
...