Java Reference
In-Depth Information
</param>
</interceptor-ref>
</action>
The code for file upload appears in the
UploadAction
class:
public class UploadAction extends ActionSupport {
private File uploadedFile;
// setter and getter for uploadedFile
public String execute() {
try {
// File path and file name are hardcoded for illustration
File fileToCreate = new File("filepath", "filename");
// Copy temporary file content to this file
FileUtils.copyFile(uploadedFile, fileToCreate);
return "SUCCESS";
} catch (Throwable e) {
addActionError(e.getMessage());
return "ERROR";
}
}
}
The value of the parameter type
maximumSize
ensures that a particular
Action
cannot
receive a very large file. The
allowedTypes
parameter defines the type of files that are
accepted. However, this approach fails to ensure that the uploaded file conforms to the
security requirements because interceptor checks can be trivially bypassed. If an attacker
were to use a proxytool to change the content type in the raw HTTP request in transit, the
framework would fail to prevent the file's upload. Consequently, an attacker could upload
a malicious file that has a
.exe
extension, for example.
Compliant Solution
Thefileuploadmustsucceedonlywhenthecontenttypematchestheactualcontentofthe
file. For example, a file with an image header must contain only an image and must not
contain executable code. This compliant solution uses the Apache Tika library [Apache
2013] to detect and extract metadata and structured text content from documents using
existing parser libraries. The
checkMetaData()
method must be called before invoking
code in
execute()
that is responsible for uploading the file.