struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rgie...@apache.org
Subject svn commit: r1500082 - in /struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src: main/java/org/apache/struts2/showcase/filedownload/ test/java/org/apache/struts2/showcase/filedownload/
Date Fri, 05 Jul 2013 17:44:09 GMT
Author: rgielen
Date: Fri Jul  5 17:44:09 2013
New Revision: 1500082

URL: http://svn.apache.org/r1500082
Log:
WW-4136 - Demonstrate proper input sanitizing for file download showcase example
- added demo code to prevent input paths containing "WEB-INF"

Added:
    struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/
    struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
Modified:
    struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java

Modified: struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java?rev=1500082&r1=1500081&r2=1500082&view=diff
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
(original)
+++ struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
Fri Jul  5 17:44:09 2013
@@ -39,7 +39,23 @@ public class FileDownloadAction implemen
 	}
 
 	public void setInputPath(String value) {
-		inputPath = value;
+		inputPath = sanitizeInputPath(value);
+	}
+
+	/**
+	 * As the user modifiable parameter inputPath will be used to access server side resources,
we want the path to be
+	 * sanitized - in this case it is demonstrated to disallow inputPath parameter values containing
"WEB-INF". Consider to
+	 * use even stricter rules in production environments.
+	 *
+	 * @param value the raw parameter input value to sanitize
+	 *
+	 * @return the sanitized value; <tt>null</tt> if value contains an invalid path
segment like WEB-INF
+	 */
+	String sanitizeInputPath( String value ) {
+		if (value != null && value.toUpperCase().contains("WEB-INF")) {
+			return null;
+		}
+		return value;
 	}
 
 	public InputStream getInputStream() throws Exception {

Added: struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java?rev=1500082&view=auto
==============================================================================
--- struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
(added)
+++ struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
Fri Jul  5 17:44:09 2013
@@ -0,0 +1,42 @@
+package org.apache.struts2.showcase.filedownload;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+public class FileDownloadActionTest {
+
+	private FileDownloadAction fileDownloadAction;
+
+	@Before
+	public void setUp() {
+	    this.fileDownloadAction = new FileDownloadAction();
+	}
+
+	@Test
+	public void testSanitizeInputPathShouldAllowSimpleParameter() throws Exception {
+		assertEquals("foo", fileDownloadAction.sanitizeInputPath("foo"));
+	}
+
+	@Test
+	public void testSanitizeInputPathShouldReturnNullForNullInput() throws Exception {
+		assertNull(fileDownloadAction.sanitizeInputPath(null));
+	}
+
+	@Test
+	public void testSanitizeInputPathShouldReturnNullForLeadingWebInf() throws Exception {
+		assertNull(fileDownloadAction.sanitizeInputPath("WEB-INF/foo"));
+	}
+
+	@Test
+	public void testSanitizeInputPathShouldReturnNullForNonLeadingWebInf() throws Exception
{
+		assertNull(fileDownloadAction.sanitizeInputPath("./WEB-INF/foo"));
+	}
+
+	@Test
+	public void testSanitizeInputPathShouldReturnNullForNonUppercaseWebInf() throws Exception
{
+		assertNull(fileDownloadAction.sanitizeInputPath("./wEB-Inf/foo"));
+	}
+}



Mime
View raw message