[OWASP-ESAPI] File Content Validation

Jim Manico jim.manico at owasp.org
Sat May 16 19:53:54 EDT 2009


My position for safe upload is that you go all the way and do it right  
or disable the feature. For esapi to give a partial solution in the  
ref impl is dangerous, in my highly opinioniated opinion, cause of how  
vulnerable it is.

I'd like to see safe upload throw a runtimeException that's points to  
a owasp doc explaining how to do this right - which is very complex.

Again, just my opinion. File upload is brutal - one of the difficult  
parts of web app sec.

PS: I'm on the beach writing from my iPhone. I didn't realize my last  
email was blasting the whole list, sorry.

Jim Manico

On May 15, 2009, at 5:22 PM, "Dave Wichers" <dave.wichers at owasp.org>  
wrote:

> It would absolutely be very interesting and a valuable contribution  
> to  ESAPI. We tried to make it clear in the ESAPI API documentation  
> what these method needs to do to be a good implementation, and then  
> in the javadoc for our reference implementation we explain what ours  
> does, which isn’t that much, and what YOUR IMPLEMENTATION still need 
> s to do (including antivirus scanning).
>
>
>
> So, of you wanted to implement some more powerful capabilities that  
> we could hook into ESAPI, that would be a great contribution.
>
>
>
> The same idea goes for SafeHTML. ESAPI could have built some  
> primitive capabilities but lucky for us, AntiSamy already existed,  
> so we simply adopted that as the ESAPI solution which provides far  
> more capability than we would have implemented ourselves.
>
>
>
> -Dave
>
>
>
> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org 
> ] On Behalf Of Jeremy Long
> Sent: Friday, May 15, 2009 8:10 PM
> To: owasp-esapi at lists.owasp.org
> Subject: [OWASP-ESAPI] File Content Validation
>
>
>
> I noticed the org.owasp.esapi.SafeFile class within the ESAPI and I  
> started considering a very difficult security problem - validation  
> of the contents of standard file types.  If you allow file uploads -  
> forget about viruses - that can be done by hooking into a virus  
> scanning API from one of the big companies. How do you know the  
> content of the file is safe (think GIFAR).  I was told some of the  
> social networks that allow image file upload (and I'm pretty sure  
> blogspot.com does this) actually load the file into an Image Object  
> and save the image from the image object (not the originally  
> uploaded file).  So, loading of images could be fairly easily  
> implemented.  But what about other common file types?  PDF, XLS, etc.
>
>
>
> Anyone have any ideas on validating the content of files?  Would  
> some base file-content validators be an interesting addition to the  
> ESAPI (with images being the easiest one)?
>
>
>
> --Jeremy Long
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090516/0f8c6fbd/attachment.html 


More information about the OWASP-ESAPI mailing list