EMPT-41: Prevent upload of executable and script files.

[jnsereko]

Basing on the discussion we had at https://talk.openmrs.org/t/attachment-functionality-of-openmrs-reference-application-is-vulnerable/33208/7.

this functionality is to prevent upload of an executable or a script in order to prevent vulnerabilities in this module.
I haven't created any ticket for this feature. That is the reason why i haven't attached its link here.

cc @isears @HerbertYiga @sherrif10

[jnsereko]

Unfortunately i haven't been able to get the correct MIME type for all executables.
i think that i could use application/octet-stream according to https://www.lifewire.com/file-extensions-and-mime-types-3469109 but i think it isn't right basing on the iana media types

[mks-d]

@jnsereko maybe take it the other way around. Think of a couple of obviously insecure file types (.js, .exe, .sh, .sql, ... etc) and see what the MIME types are for those guys, and start building an exclusion list that way.
You could probably start with:

• application/octet-stream
• text/javascript (and its cousins, see here).

@isears @ibacher?

[isears]

Yes, just denying the upload of aplication/octet-stream and text/javascript would be a big improvement over what we have now (which is no filtering).

Building that initial functionality is the difficult part. Once we have it for one or two mime-types we can always extend it to include others if we need to.

[jnsereko]

Unfortunately i haven't been able to get the correct MIME type for all scripts.

[HerbertYiga]

why not simply check the type you wana exclude here and return the appropriate message

openmrs-module-attachments/omod-1.10/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource1_10.java

Line 100 in bd8f77b

public Object upload(MultipartFile file, RequestContext context) throws ResponseException, IOException {

[mks-d]

@jnsereko you basically treat everything as executables in this PR, there is no reason to distinguish scripts from executables.

[jnsereko]

oohh.. great suggestion @mks-d. Thanks

[mks-d]

@jnsereko maybe take it the other way around. Think of a couple of obviously insecure file types (.js, .exe, .sh, .sql, ... etc) and see what the MIME types are for those guys, and start building an exclusion list that way.
You could probably start with:

• application/octet-stream
• text/javascript (and its cousins, see here).

@isears @ibacher?

[sherrif10]

Thanks @jnsereko for the awesome work, Since this ticket is worth doing, i think its ok to create a ticket in jira for it and update it here with the ticket id, Also the branch name should reflect ATTACHMENT tag cc @isears @mks-d

[mks-d]

Please add some tests as well.

[mks-d]

public static final List<String> EXECUTABLE_MIME_TYPES = Arrays.asList("application/octet-stream", "type/javascript");

(TYPES, plural)

[mks-d]

if (EXECUTABLE_MIME_TYPES.contains(mimeType)) {
  contentFamily = ContentFamily.EXECUTABLE;
}

[jnsereko]

I have implemented suggestions and added tests. Thanks

cc @mks-d @isears @sherrif10

[jnsereko]

Thanks @mks-d @isears @sherrif10 @HerbertYiga for reviewing this. I have added mime types for .py files, .jar files, .php files, .sh files, .exe files, .sql files, and visual basic files

[mks-d]

@isears @ibacher, does it look like a decent shortlist of bad guys?

[isears]

It seems like mimetypes can get pretty crazy, but maybe we should add in application/x-ms-installer and application/x-elf as well @jnsereko

[ibacher]

I'd probably drop application/sql from the list. Also, a few additions:

• application/x-applescript
• application/x-ruby
• application/x-perl
• application/wasm

That should cover many of the more common scripting languages (I can't find any even semi-standard MIME Types for batch and ps1 files).

[jnsereko]

Hello @ibacher i have removed the application/sql mime type added added more as you suggested. I guess this catch is good for the start.
@mks-d @isears @sherrif10 @dkayiwa

[mks-d]

There's a typo here by maybe rename this to postAttachment_shouldThrowOnExecutableFile.

[jnsereko]

hey @mks-d I have changed the test method name..