[OWASP-ESAPI] File Content Validation

Dave Wichers dave.wichers at owasp.org
Fri May 15 23:22:33 EDT 2009


It would absolutely be very interesting and a valuable contribution to
ESAPI. We tried to make it clear in the ESAPI API documentation what these
method needs to do to be a good implementation, and then in the javadoc for
our reference implementation we explain what ours does, which isn't that
much, and what YOUR IMPLEMENTATION still needs to do (including antivirus
scanning).

 

So, of you wanted to implement some more powerful capabilities that we could
hook into ESAPI, that would be a great contribution.

 

The same idea goes for SafeHTML. ESAPI could have built some primitive
capabilities but lucky for us, AntiSamy already existed, so we simply
adopted that as the ESAPI solution which provides far more capability than
we would have implemented ourselves.

 

-Dave

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jeremy Long
Sent: Friday, May 15, 2009 8:10 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] File Content Validation

 

I noticed the org.owasp.esapi.SafeFile class within the ESAPI and I started
considering a very difficult security problem - validation of the contents
of standard file types.  If you allow file uploads - forget about viruses -
that can be done by hooking into a virus scanning API from one of the big
companies. How do you know the content of the file is safe (think GIFAR).  I
was told some of the social networks that allow image file upload (and I'm
pretty sure blogspot.com does this) actually load the file into an Image
Object and save the image from the image object (not the originally uploaded
file).  So, loading of images could be fairly easily implemented.  But what
about other common file types?  PDF, XLS, etc.

 

Anyone have any ideas on validating the content of files?  Would some base
file-content validators be an interesting addition to the ESAPI (with images
being the easiest one)?

 

--Jeremy Long

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090515/f33eb069/attachment.html 


More information about the OWASP-ESAPI mailing list