Unrestricted File Upload with Java

Author: sahildari

.github/workflows/java-ci.yml

@@ -11,6 +11,7 @@ jobs:
     env:
       working-directory-fileupload: "./Path Manipulation/while File Upload/java/fileupload.pathmanipulation"
       working-directory-fileread: "./Path Manipulation/while File Read/java/fileread.pathmanipulation"
+      working-directory-unrestricted-fileupload: "./Unrestriced File Upload/java"
 
     steps:
       - name: Checkout code
@@ -30,10 +31,18 @@ jobs:
         working-directory: ${{ env.working-directory-fileread }}
         run: mvn clean -B package --file pom.xml
 
+      - name: Build with Maven for Unrestricted File Upload
+        working-directory: ${{ working-directory-unrestricted-fileupload }}
+        run: mvn clean -B package --file pom.xml
+
       - name: Run tests for Path Manipulation while File Upload
         working-directory: ${{ env.working-directory-fileupload }}
         run: mvn test
 
+      - name: Run tests for Unrestricted File Upload
+        working-directory: ${{ working-directory-unrestricted-fileupload }}
+        run: mvn test
+
       - name: Run tests for Path Manipulation while File Read
         working-directory: ${{ env.working-directory-fileread }}
         run: mvn test
@@ -44,4 +53,8 @@ jobs:
 
       - name: Clean up for Path Manipulation while File Read
         working-directory: ${{ env.working-directory-fileread }}
+        run: mvn clean
+
+      - name: Clean up for Unrestricted File Upload
+        working-directory: ${{ working-directory-unrestricted-fileupload }}
         run: mvn clean

Path Manipulation/while File Read/java/README.md

@@ -6,7 +6,7 @@ This maven project is to help to mitigate the path manipulation issues. You can
 
 [HomeController](./fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/HomeController.java) file serves the [index.html](./fileread.pathmanipulation/src/main/resources/templates/index.html) to serve as the Fronted for the File Upload.
 
-[UploadController.java](./fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/DownloadController.java) file contains the logic for the file Upload and the Filename validation, Extension Validation during the File Upload.
+[DownloadController.java](./fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/DownloadController.java) file contains the logic for the file Upload and the Filename validation, Extension Validation during the File Upload.
 
 [resources/templates](./fileread.pathmanipulation/src/main/resources/templates/) Directory contains the index.html.
 
@@ -25,7 +25,7 @@ cd 'Path Manipulation/while File Read/java/fileread.pathmanipulation'
 
 **Windows:**
 ```sh
-mvnw.cmd clean spring-boot:run
+./mvnw.cmd clean spring-boot:run
 ```
 3. Open in Browser:
 ```

Path Manipulation/while File Upload/java/fileupload.pathmanipulation/src/main/java/securecodingexamples/fileupload/pathmanipulation/UploadController.java

@@ -42,12 +42,12 @@ public ResponseEntity<?> uploadFile(@RequestParam("file") MultipartFile file) {
             }
 
             String filename = file.getOriginalFilename();
-            if (filename == null || !isValidName(filename)) {
+            if (filename == null || filename.isEmpty() || !isValidName(filename)) {
                 logger.warning("Invalid Filename");
                 return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Invalid Filename");
             }
 
-            if (filename == null || !isValidExtension(filename)) {
+            if (filename == null || filename.isEmpty() || !isValidExtension(filename)) {
                 logger.warning("Invalid File Extension");
                 return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Invalid Extension");
             }
@@ -67,6 +67,9 @@ public ResponseEntity<?> uploadFile(@RequestParam("file") MultipartFile file) {
         } catch (IOException e) {
             logger.severe("File upload error: " + e.getMessage());
             return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("File upload failed");
+         } catch (Exception e){
+            logger.severe("File upload error: " + e.getMessage());
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("File upload failed");
         }
     }
 

Unrestriced File Upload/README.md

@@ -0,0 +1,44 @@
+# Unrestricted File Upload
+
+__Unrestricted File Upload__, as the name suggests, the file uploads are possible with minimal restrictions or no restrictions at all. When the developers don't put the File Upload Restrictions on the server-side code, the __attackers__ are able to upload __Malicious File__ with __Dangerous Types__, which can in turn result more severe issues. 
+
+## Mitigation
+
+Unrestricted File Upload issues can be mitigated by putting Restrictions on everything possible for the file like __filename, file extensions, Content Type, Magic Numbers__. 
+
+The Unrestricted File Upload logic checks for the following:
+- The Filename Validation, to only contain Alphanumeric values with the help of regex.
+- The extension validation, to only allow files with certain extension.
+- Content Type validation, to only allow the files matching the content type for the allowed extensions with the help of magic numbers.
+- File size validation, to only allows files within the 5MB file size.
+- Same Filename validation, to only allow the unique files to be uploaded and not rewrite the existing file.
+
+You can check the file signatures tables by visiting this [link](https://www.garykessler.net/library/file_sigs.html).
+
+## Directory Structure for Path Manipulation
+```
+Unrestriced File Upload
+├───java
+│   ├───.mvn
+│   │   └───wrapper
+│   └───src
+│       ├───main
+│       │   ├───java
+│       │   │   └───securecodingexamples
+│       │   │       └───unrestricted
+│       │   │           └───fileupload
+│       │   └───resources
+│       │       └───static
+│       └───test
+│           └───java
+│               └───securecodingexamples
+│                   └───fileupload
+│                       └───pathmanipulation
+└───python
+    └───securecodingexamples
+        └───unrestricted
+            └───fileupload
+                └───src
+                    ├───templates
+                    └───tests
+```

Unrestriced File Upload/java/.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+wrapperVersion=3.3.2
+distributionType=only-script
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip

Unrestriced File Upload/java/README.md

@@ -0,0 +1,33 @@
+# Unrestricted File Upload
+
+This maven project is to help to mitigate the Unrestricted File Upload issues. You can use the logic in the [UploadController.java](./src/main/java/securecodingexamples/unrestricted/fileupload/UploadController.java) in your local [Maven](https://maven.apache.org/), [Gradle](https://gradle.org/) or other Java Applications.
+
+## Code Structure
+
+[HomeController](./src/main/java/securecodingexamples/unrestricted/fileupload/HomeController.java) file serves the [index.html](./src/main/resources/static/index.html) to serve as the Fronted for the File Upload.
+
+[UploadController.java](./src/main/java/securecodingexamples/unrestricted/fileupload/UploadController.java) file contains the logic for the file Upload and the Filename validation, Extension Validation during the File Upload.
+
+[resources/static](./src/main/resources/static) Directory contains the index.html.
+
+## Installation
+1. Clone the repository:
+```sh
+git clone https://github.com/sahildari/secure-coding-examples
+cd 'Unrestriced File Upload/java'
+```
+2. Install the package:
+
+**MacOS/Linux:**
+```sh
+./mvnw clean spring-boot:run
+```
+
+**Windows:**
+```sh
+mvnw.cmd clean spring-boot:run
+```
+3. Open in Browser:
+```
+http://127.0.0.1:8080
+```