[Esapi-user] how to validate binary data - example copy pdf or image file

Jim Manico jim.manico at owasp.org
Fri Jul 15 01:18:55 EDT 2011


Fair analysis, Jeff. Definitely a very inaccurate finding from AppScan.

However, careful about what you consider to be a trusted source. I don't
think there really is such a thing.

Depending on the app and the architecture, I think outbound validation and
virus protection is often a good thing.

- Jim Manico

On Jul 13, 2011, at 4:16 PM, Jeff Williams <jeff.williams at aspectsecurity.com>
wrote:

If untrusted data is used to specify srcFile or dstFile, then AppScan has
correctly identified a potential problem. However, they miscategorized it,
since this is not an interpreter problem that needs encoding.  Rather, they
should be worried about disclosing the srcFile data or damaging the dstFile
data.



On the other hand, if both srcFile and dstFile are trusted, they may be
assuming that the content of srcFile is dangerous and shouldn’t be copied to
dstFile.  If the content of srcFile comes from an untrusted source, then
that’s also a good finding even if they misclassified that one too.



If the srcFile and dstFile are trusted, and the content of srcFile comes
from the local disk and is being written back to the local disk, then I
don’t see the risk.  In this case, the finding is a false alarm.



--Jeff





*From:* esapi-user-bounces at lists.owasp.org [mailto:
esapi-user-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
*Sent:* Wednesday, July 13, 2011 6:59 PM
*To:* Hafiz, Abdul - Kansas City, MO
*Cc:* esapi-user at lists.owasp.org
*Subject:* Re: [Esapi-user] how to validate binary data - example copy pdf
or image file



ESAPI does not do file upload binary analysis. This is a brutally complex
topic that us file-contextual.



For PDF validation, this is, by far, the best research to date.



http://blog.modsecurity.org/2010/10/advanced-topic-of-the-week-preventing-malicious-pdf-file-uploads.html

- Jim Manico


On Jul 13, 2011, at 3:34 PM, "Hafiz, Abdul - Kansas City, MO" <
abdul.hafiz at kcc.usda.gov> wrote:

In example below, I am copying a PDF file. AppScan Source reports
Vulnerability Validation.EncodingRequired. I cannot encode in this case
because I want exact copy of srcFile. Only option, I may have is to validate
before writing it to outputStream. How to perform validation on binary data
using ESAPI?



        *try* {

            InputStream oInStream = *new* FileInputStream(srcFile);

            OutputStream oOutStream = *new* FileOutputStream(destFile);



            // Transfer bytes from in to out

            *byte*[] oBytes = *new* *byte*[1024];

            *int* nLength;

            BufferedInputStream oBuffInputStream = *new*BufferedInputStream(
oInStream);

            *while* ((nLength = oBuffInputStream.read(oBytes)) > 0)

            {

                oOutStream.write(oBytes, 0, nLength);

            }

            oInStream.close();

            oOutStream.close();

        } *catch* (IOException e){

            *throw* *new* CopyException("IOException copying file", e);

        }



Thanks,
Abdul







_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110714/d740daa7/attachment.html 


More information about the Esapi-user mailing list