Permalink
Browse files

added filename checks

  • Loading branch information...
1 parent a7a7b56 commit f9ed76697f1398d4bb8a3dad4fced65dfdbcf3ff @washu washu committed Mar 21, 2011
Showing with 61 additions and 3 deletions.
  1. +53 −1 lib/validator.rb
  2. +8 −2 spec/owasp_esapi_validator_spec.rb
View
@@ -162,7 +162,59 @@ def self.valid_directory(context, input, parent, allow_nil, error_list = nil)
return ""
end
- # Filename
+ # Calls valid_file_name and returns true if no exceptions are thrown.
+ def self.valid_file_name?(context, input, allowed_extensions, allow_nil)
+ begin
+ valid_file_name(context,input,allowed_extensions,allow_nil)
+ return true
+ rescue Exception => e
+ puts e
+ return false
+ end
+ end
+
+ # Returns a canonicalized and validated file name as a String. Implementors should check for allowed file extensions here, as well as allowed file name characters, as declared in "ESAPI.properties". Invalid input
+ # will generate a descriptive ValidationException, and input that is clearly an attack
+ # will generate a descriptive IntrusionException.
+ # if the error_list is given, exceptions will be added to the list instead of being thrown
+ def self.valid_file_name(context, input, allowed_extensions, allow_nil, error_list = nil)
+
+ # detect path manipulation
+ begin
+ # check extenion list
+ if allowed_extensions.nil? or allowed_extensions.empty?
+ raise ValidationException.new("Internal Error", "getValidFileName called with an empty or null list of allowed Extensions, therefore no files can be uploaded", context);
+ end
+ # Check for nil
+ if input.nil?
+ if allow_nil
+ return nil
+ end
+ user = "#{context}: Input file name required"
+ log = "Input file name required: context=#{context}, input=#{input}"
+ raise ValidationException.new(user,log,context)
+ end
+ filename = File.expand_path(input)
+ dirname = File.dirname(filename)
+ base_name = File.basename(filename)
+ clean_name = valid_string(context,base_name,"FileName",255,false)
+ raise ValidationException.new( "#{context} : Invalid file name", "Invalid directory name does not match the canonical path: context=#{context}, input=#{input}",context) unless filename.index(dirname)
+ # check extensions
+ allowed_extensions.each do |ext|
+ if File.extname(clean_name).include?(ext)
+ return clean_name
+ end
+ end
+ raise ValidationException.new( "context : Invalid file name does not have valid extension ( #{allowed_extensions})", "Invalid file name does not have valid extension ( #{allowed_extensions} ): context=#{context}, input=#{input}", context )
+ rescue ValidationException => e
+ if error_list.nil?
+ raise e
+ else
+ error_list << e
+ end
+ end
+ end
+
# Integer
# Float
# FileContents
@@ -26,7 +26,7 @@ module Esapi
"HTTPURI"=>"^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$",
"HTTPURL"=>"^.*$",
"HTTPJSESSIONID"=>"^[A-Z0-9]{10,30}$",
- "FileName"=>'^[a-zA-Z0-9!@#$%^&{}\[\]()_+\-=,.~\'` ]{1,255}$',
+ "FileName"=>/[a-zA-Z0-9!@#$\%^&{}\[\]()_+\-=,.~\'` ]{1,255}$/,
"DirectoryName"=>'^[a-zA-Z0-9:/\\\\!@#$%^&{}\[\]()_+\-=,.~\'` ]{1,255}$',
"SafeString"=>%w{^[.\\p{Alnum}\\p{Space}]{0,1024}$},
"Email"=>"^[A-Za-z0-9._%\-]+@[A-Za-z0-9.\-]+\\.[a-zA-Z]{2,4}$",
@@ -40,7 +40,13 @@ module Esapi
Owasp::Esapi.security_config.add_pattern(name,expression)
end
end
-
+
+ describe "-FileName Tests-" do
+ it "should check filename.zip as valid with zip as allowed extension" do
+ validator.valid_file_name?("test","filename.zip",%w[zip .zip doc .doc],false).should be_true
+ end
+ end
+
describe "-HTML Tests-" do
{
"Test. <script>alert(document.cookie)</script>" => "Test.",

0 comments on commit f9ed766

Please sign in to comment.