[Esapi-user] how to validate binary data - example copy pdf or image file

Jeff Williams jeff.williams at aspectsecurity.com
Wed Jul 13 19:17:59 EDT 2011


If untrusted data is used to specify srcFile or dstFile, then AppScan
has correctly identified a potential problem. However, they
miscategorized it, since this is not an interpreter problem that needs
encoding.  Rather, they should be worried about disclosing the srcFile
data or damaging the dstFile data.

 

On the other hand, if both srcFile and dstFile are trusted, they may be
assuming that the content of srcFile is dangerous and shouldn't be
copied to dstFile.  If the content of srcFile comes from an untrusted
source, then that's also a good finding even if they misclassified that
one too.

 

If the srcFile and dstFile are trusted, and the content of srcFile comes
from the local disk and is being written back to the local disk, then I
don't see the risk.  In this case, the finding is a false alarm.

 

--Jeff

 

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, July 13, 2011 6:59 PM
To: Hafiz, Abdul - Kansas City, MO
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] how to validate binary data - example copy pdf
or image file

 

ESAPI does not do file upload binary analysis. This is a brutally
complex topic that us file-contextual.

 

For PDF validation, this is, by far, the best research to date.

 

http://blog.modsecurity.org/2010/10/advanced-topic-of-the-week-preventin
g-malicious-pdf-file-uploads.html

- Jim Manico


On Jul 13, 2011, at 3:34 PM, "Hafiz, Abdul - Kansas City, MO"
<abdul.hafiz at kcc.usda.gov> wrote:

	In example below, I am copying a PDF file. AppScan Source
reports Vulnerability Validation.EncodingRequired. I cannot encode in
this case because I want exact copy of srcFile. Only option, I may have
is to validate before writing it to outputStream. How to perform
validation on binary data using ESAPI?

	 

	        try {

	            InputStream oInStream = new
FileInputStream(srcFile);

	            OutputStream oOutStream = new
FileOutputStream(destFile);

	 

	            // Transfer bytes from in to out

	            byte[] oBytes = new byte[1024];

	            int nLength;

	            BufferedInputStream oBuffInputStream = new
BufferedInputStream(oInStream);

	            while ((nLength = oBuffInputStream.read(oBytes)) >
0)

	            {

	                oOutStream.write(oBytes, 0, nLength);

	            }

	            oInStream.close();

	            oOutStream.close();

	        } catch (IOException e){

	            throw new CopyException("IOException copying file",
e);

	        }

	 

	Thanks,
	Abdul

	 

	 

	 

	_______________________________________________
	Esapi-user mailing list
	Esapi-user at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110713/15e577c7/attachment.html 


More information about the Esapi-user mailing list