不受限制的文件上传-CheckMarx发行

时间:2019-01-31 17:25:42

标签: java file security

我已修复了针对checkMax报告的问题。问题是不受限制的文件上传。使用servlet对其上传进行归档。

我尝试解决验证文件扩展名,validatin内容类型为“ text / plain”和validatin(如果请求是多部分且请求方法为POST)的问题。但是问题没有解决。

我的servlet中的POST方法片段:

public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
    try {   
        if (stream2file(req) == isValidateRequest(req)) {           
                InputStream reqIS = getInputStreamReq(req);
                int reqSize = req.getContentLength();
                try {
                    req.getInputStream().mark(req.getInputStream().available());
                } catch (Exception e) {
                    LOGGER.error("SEVERE: Error ", e);
                }
        }

    } catch (Exception e) {
            LOGGER.error("Error File txt ." + e);
        }       
}   

public static boolean stream2file (HttpServletRequest request) {
   boolean isFileValid =  false;

    try {
        List<FileItem> multiparts = new ServletFileUpload(
                                 new DiskFileItemFactory()).parseRequest(request);

        for(FileItem item : multiparts){
            if(!item.isFormField()){
                String name = item.getName();
                String fileSuffix = FilenameUtils.getExtension(name);
                LOGGER.error("Archivo con extension: " + fileSuffix);

                if(fileSuffix.equals("txt")) {
                    isFileValid= true;
                     LOGGER.info("  file txt  valid: " + fileSuffix);
                }
            }
        }

    } catch (Exception ex) {
        LOGGER.error("File is not valid." + ex);
    }         
    return  isFileValid;
}

private static boolean isValidateRequest(HttpServletRequest request) {       

    return (isValidarContentType(request) == isMultipartRequest(request));
}

private static boolean isValidarContentType(HttpServletRequest request) {
     boolean isValido =  false;
     final String[] VALID_CONTENT_TYPE = { "text\/plain", "text\/html", "text\/xml", "application\/xhtml+xml", "application\/xml"};

     final String contentType = request.getContentType();
     for (String whiteContent : VALID_CONTENT_TYPE) {
        if(whiteContent.equals(contentType)) {
            isValido =  true;
        }else {
            isValido =  false;
        }
    }

     return isValido;
}
private static boolean isMultipartRequest(HttpServletRequest request) {     
    return GssClsConstantes.REQUEST_METHOD_POST.equalsIgnoreCase(request.getMethod())
            && request.getContentType() != null
            && request.getContentType().toLowerCase()
                    .startsWith(GssClsConstantes.CONTENT_TYPE_MULTIPART);
}

Servlet版本是:2.4

0 个答案:

没有答案
相关问题
最新问题