SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 11

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The value of the parameter type maximumSize ensures that a particular Action does not receive a very large file. The allowedType parameter defines the type of files that are accepted.

However, this approach does not ensure that the uploaded file conforms to the security requirements as interceptor checks can be trivially bypassed. If an attacker uses a proxy tool to change the content type in the raw HTTP request in transit, the framework would not prevent the file's upload. Consequently, an attacker can upload a malicious file having an .exe extension.

This code appears to violate ERR08-J. Do not catch NullPointerException or any of its ancestors. But it does not actually violate that rule, because it falls under the exception ERR08-EX2.

...

The file upload must only succeed if the content type matches the content present within the file. For example, a file with an image header must contain only contain an image and not executable code. This compliant solution uses the Apache Tika library  library to detect and extract metadata and structured text content from documents using existing parser libraries [Apache Tika|http://tika.apache. org/index.html]. The checkMetaData() method must be called before invoking execute().

Code Block
bgColor#ccccff
langjava
public static boolean checkMetaData(File f, String getContentType) {
  InputStream is = null;
  try {
    is = new FileInputStream(f);
    ContentHandler contenthandler = new BodyContentHandler();
    Metadata metadata = new Metadata();
    metadata.set(Metadata.RESOURCE_NAME_KEY, f.getName());
    Parser parser = new AutoDetectParser();
    parser.parse(is, contenthandler, metadata, new ParseContext());
    
    if (metadata.get(Metadata.CONTENT_TYPE).equalsIgnoreCase(getContentType)) {
      return true;
    }
    else {
      return false;
    }
  } catch (Exception e) {
    e.printStackTrace();
    return false;
  } finally {
    if (is != null) {
      try {
        is.close();
      } catch (IOException e) {
        //  e.printStackTrace();handle error
      }
    }
  }
}

The AutoDetectParser selects the best available parser based on the content type of file to be parsed.

...