[OWASP-ESAPI] public boolean isValidFileContent(byte[] content)

Adam Boulton adamboulton at gmail.com
Tue Feb 5 14:33:13 EST 2008


Hi guys,

OK, I think I understand what you are doing with the ValidatedFile object, I
understand that it appears to be a wrapper for getting access and details to
a physical file which has passed the required checks, otherwise it is not
possible to instantiate a ValidateFile if the content and filename do not
match e.g byte content matches that of an windows executable but has a .doc
filename.

*>The FileValidationException class would have added methods like:*

*>getFailedMimeType() : String*

I don't agree that the FileValidationException class should have methods
such as the one listed above. It should just be left as a basic exception
and follow the rules of exceptions i.e basic constructor used to take the
error message.
*>Might I suggest that we do the file type introspection based on the
content itself and not >depend on the file extension?
*
Of course and I would also strongly recommend this. We don't need anything
special, it is actually pretty easy to do the content based checks.

>*The ValidatedFile class would have methods like:*

*>getContent() : byte[]*

*>getFilename() : String*

*>getValidatedMimeType() : String*
Yes, I like the approach here. Making this an abstract class would be a
sensible approach for the moment. To expand on your ideas here Dan I think a
good approach would be to have individual concrete classes to deal with
certain file types. For example, I think it is worth considering individual
concrete objects such as PDFfile, DOCfile, EXEfile, XLSfile etc all of which
would extend from ValidatedFile and thereby making this system extensible
and also giving us the advantage of not tying this solely into web
applications.


On Jan 25, 2008 12:11 PM, Dan Cornell <dan at denimgroup.com> wrote:

>
> As another note, what happens if the attacker changes the file extension?
> Might I suggest that we do the file type introspection based on the content
> itself and not depend on the file extension? A lot more difficult, I'm sure,
> and to do this effectively I've had to break out of Java and use projects
> like ImageMagick to do it effectively in a high load environment.
>
> One approach might be:
>
>
>
> public ValidatedFile getValidatedFile(String mimeType, byte[] content,
> String filename)
>
> throws FileValidationException
>
>
>
> With an overload of this method as:
>
>
>
> Public ValidatedFile getValidatedFile(String mimeType, byte[] content)
>
> Throws FileValidationException
>
>
>
> Using the mime type would allow for a Factory style implementation of
> which file validation class would be selected.  You could also stuff a bunch
> of "public static final String" mime types as constants in the ValidatedFile
> class for common content types.
>
>
>
> That would be in cases if you didn't care about the filename and just
> wanted to get a yes/no as to whether or not a binary blob matched a given
> filetype.  Really, what you are typically trying to determine with the file
> validation as a whole is "Is this bunch of data valid content of X type?"
>
>
>
> The ValidatedFile class would have methods like:
>
> getContent() : byte[]
>
> getFilename() : String
>
> getValidatedMimeType() : String
>
>
>
> The FileValidationException class would have added methods like:
>
> getFailedMimeType() : String
>
>
>
> and perhaps a chain of reasons why it failed (that may be too complicated
> – most validation routines would just find the first thing wrong and then
> throw the Exception)
>
>
>
> Thanks,
>
>
>
> Dan
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080205/0c422edb/attachment.html 


More information about the OWASP-ESAPI mailing list