Java Reference
In-Depth Information
5. Prevent arbitrary file upload
Java applications, including web applications, that accept file uploads must ensure that an
attacker cannotuploadortransfermalicious files.Ifarestricted filecontaining codeisex-
ecuted by the target system, it can compromise application-layer defenses. For example,
an application that permits HTML files to be uploaded could allow malicious code to be
executed—an attacker can submit a valid HTML file with a cross-site scripting (XSS)
payload that will execute in the absence of an output-escaping routine. For this reason,
many applications restrict the type of files that can be uploaded.
Itmayalsobepossibletouploadfileswithdangerousextensionssuchas
.exe
and
.sh
that could cause arbitrary code execution on server-side applications. An application that
restricts only the Content-Type field in the HTTP header could be vulnerable to such an
attack.
To support file upload, a typical Java Server Pages (JSP) page consists of code such as
the following:
<s:form action="doUpload" method="POST"
enctype="multipart/form-data">
<s:file name="uploadFile" label="Choose File" size="40" />
<s:submit value="Upload" name="submit" />
</s:form>
Many Java enterprise frameworks provide configuration settings intended to be used
as a defense against arbitrary file upload. Unfortunately, most of them fail to provide
adequate protection. Mitigation of this vulnerability involves checking file size, content
type, and file contents, among other metadata attributes.
Noncompliant Code Example
This noncompliant code example shows XML code from the upload action of a Struts 2
application. The interceptor code is responsible for allowing file uploads.
<action name="doUpload" class="com.example.UploadAction">
<interceptor-ref name="fileUpload">
<param name="maximumSize"> 10240 </param>
<param name="allowedTypes">
text/plain,image/JPEG,text/html
