[OWASP-ESAPI] File Content Validation

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Sat May 16 20:56:16 EDT 2009


File content validation is an intractable problem most of the time.  
Virii signatures are easily bypassable and most file formats can have  
dangerous content by design.

This is not to mention that every file format is different and the  
majority of time malicious intentions can be expressed in many ways.

My vote is not to attempt to "solve" this problem. Businesses may be  
able to implement a version of this API that  validates batch records  
or something, but the spec should denote the limited scope.

Arshan

On May 16, 2009, at 7:56 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

> My position for safe upload is that you go all the way and do it  
> right or disable the feature. For esapi to give a partial solution  
> in the ref impl is dangerous, in my highly opinioniated opinion,  
> cause of how vulnerable it is.
>
> I'd like to see safe upload throw a runtimeException that's points  
> to a owasp doc explaining how to do this right - which is very  
> complex.
>
> Again, just my opinion. File upload is brutal - one of the difficult  
> parts of web app sec.
>
> PS: I'm on the beach writing from my iPhone. I didn't realize my  
> last email was blasting the whole list, sorry.
>
> Jim Manico
>
> On May 15, 2009, at 5:22 PM, "Dave Wichers" <dave.wichers at owasp.org>  
> wrote:
>
>> It would absolutely be very interesting and a valuable contribution  
>> to  ESAPI. We tried to make it clear in the ESAPI API documentation  
>> what these method needs to do to be a good implementation, and then  
>> in the javadoc for our reference implementation we explain what  
>> ours does, which isn’t that much, and what YOUR IMPLEMENTATION sti 
>> ll needs to do (including antivirus scanning).
>>
>>
>>
>> So, of you wanted to implement some more powerful capabilities that  
>> we could hook into ESAPI, that would be a great contribution.
>>
>>
>>
>> The same idea goes for SafeHTML. ESAPI could have built some  
>> primitive capabilities but lucky for us, AntiSamy already existed,  
>> so we simply adopted that as the ESAPI solution which provides far  
>> more capability than we would have implemented ourselves.
>>
>>
>>
>> -Dave
>>
>>
>>
>> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org 
>> ] On Behalf Of Jeremy Long
>> Sent: Friday, May 15, 2009 8:10 PM
>> To: owasp-esapi at lists.owasp.org
>> Subject: [OWASP-ESAPI] File Content Validation
>>
>>
>>
>> I noticed the org.owasp.esapi.SafeFile class within the ESAPI and I  
>> started considering a very difficult security problem - validation  
>> of the contents of standard file types.  If you allow file uploads  
>> - forget about viruses - that can be done by hooking into a virus  
>> scanning API from one of the big companies. How do you know the  
>> content of the file is safe (think GIFAR).  I was told some of the  
>> social networks that allow image file upload (and I'm pretty sure  
>> blogspot.com does this) actually load the file into an Image Object  
>> and save the image from the image object (not the originally  
>> uploaded file).  So, loading of images could be fairly easily  
>> implemented.  But what about other common file types?  PDF, XLS, etc.
>>
>>
>>
>> Anyone have any ideas on validating the content of files?  Would  
>> some base file-content validators be an interesting addition to the  
>> ESAPI (with images being the easiest one)?
>>
>>
>>
>> --Jeremy Long
>>
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090516/3c7bb886/attachment.html 


More information about the OWASP-ESAPI mailing list