[Esapi-user] how to validate binary data - example copy pdf or image file

Jim Manico jim.manico at owasp.org
Wed Jul 13 18:58:39 EDT 2011


ESAPI does not do file upload binary analysis. This is a brutally complex
topic that us file-contextual.

For PDF validation, this is, by far, the best research to date.

http://blog.modsecurity.org/2010/10/advanced-topic-of-the-week-preventing-malicious-pdf-file-uploads.html

- Jim Manico

On Jul 13, 2011, at 3:34 PM, "Hafiz, Abdul - Kansas City, MO" <
abdul.hafiz at kcc.usda.gov> wrote:

 In example below, I am copying a PDF file. AppScan Source reports
Vulnerability Validation.EncodingRequired. I cannot encode in this case
because I want exact copy of srcFile. Only option, I may have is to validate
before writing it to outputStream. How to perform validation on binary data
using ESAPI?

        *try* {
            InputStream oInStream = *new* FileInputStream(srcFile);
            OutputStream oOutStream = *new* FileOutputStream(destFile);

            // Transfer bytes from in to out
            *byte*[] oBytes = *new* *byte*[1024];
            *int* nLength;
            BufferedInputStream oBuffInputStream = *new*BufferedInputStream(
oInStream);
            *while* ((nLength = oBuffInputStream.read(oBytes)) > 0)
            {
                oOutStream.write(oBytes, 0, nLength);
            }
            oInStream.close();
            oOutStream.close();
        } *catch* (IOException e){
            *throw* *new* CopyException("IOException copying file", e);
        }

Thanks,
Abdul





_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110713/2aee1986/attachment.html 


More information about the Esapi-user mailing list