unrestricted file upload python

Author: sahildari

Path Manipulation/while File Upload/java/fileupload.pathmanipulation/src/main/java/securecodingexamples/fileupload/pathmanipulation/UploadController.java

@@ -100,7 +100,7 @@ private static boolean isValidName(String filename) {
     private static String validFilename(String filename) {
         int dotIndex = filename.lastIndexOf(".");
         String name = filename.substring(0, dotIndex);
-        String extension = filename.substring(dotIndex + 1);
+        String extension = filename.substring(dotIndex + 1).toLowerCase();
         return name + "." + extension;
     }
 

Path Manipulation/while File Upload/java/fileupload.pathmanipulation/src/main/resources/static/index.html

@@ -2,6 +2,6 @@
 <title>File Upload</title>
 <h1>Upload new files</h1>
 <form method="post" enctype="multipart/form-data" action="/uploadFile">
-    <input type="file" accept="text/plain, application/pdf" name="file"/><!--Client Side Validation for file type-->
+    <input type="file" accept="text/plain, application/pdf" name="file"/><!--Client Side Validation for allowed file type-->
     <input type="Submit" name="Upload"/>
 </form>

Unrestriced File Upload/java/src/main/java/securecodingexamples/unrestricted/fileupload/UploadController.java

@@ -28,7 +28,7 @@ public class UploadController{
     private static final Logger logger = Logger.getLogger(UploadController.class.getName());
     private static final String TEMP_DIRECTORY = System.getProperty("java.io.tmpdir");
     private static final String UPLOAD_DIRECTORY = TEMP_DIRECTORY + File.separator + "Uploads";
-    private static final String[] ALLOWED_EXTENSIONS = {"jpg", "png", "pdf"}; //jpg, png, pdf
+    // private static final String[] ALLOWED_EXTENSIONS = {"jpg", "png", "pdf"}; //jpg, png, pdf
     private static final Pattern FILENAME_REGEX_PATTERN = Pattern.compile("[a-zA-Z0-9-_]+");
 
     //MAGIC_NUMBERS HashMap to contain the allowed magic numbers of the files.
@@ -39,6 +39,8 @@ public class UploadController{
         MAGIC_NUMBERS.put("jpg","FFD8FF");
         MAGIC_NUMBERS.put("png","89504E47");
     }
+
+    private static final String[] ALLOWED_EXTENSIONS = MAGIC_NUMBERS.keySet().toArray(new String[0]);
 
     public static void main(String[] args) {
         File uploadDir = new File(UPLOAD_DIRECTORY);
@@ -77,8 +79,7 @@ public ResponseEntity<?> uploadFile(@RequestParam("file") MultipartFile file) {
 
             if(isValidName(filename) && isValidExtension(filename)){
                 logger.info("Valid Filename and Extension");
-                String validFilename = validFilename(filename);
-                validFilename = getUniqueFilename(validFilename);
+                String validFilename = getUniqueFilename(validFilename(filename));
 
                 if(isValidMagicNumber(fileMagicNumber, "jpg") || isValidMagicNumber(fileMagicNumber, "png") || isValidMagicNumber(fileMagicNumber, "pdf") ){
                     logger.info("Valid Magic Number");
@@ -130,7 +131,7 @@ private static boolean isValidName(String filename) {
     private static String validFilename(String filename) {
         int dotIndex = filename.lastIndexOf(".");
         String name = filename.substring(0, dotIndex);
-        String extension = filename.substring(dotIndex + 1);
+        String extension = filename.substring(dotIndex + 1).toLowerCase();
         return name + "." + extension;
     }
 

Unrestriced File Upload/python/securecodingexamples/__pycache__/__init__.cpython-313.pyc

@@ -5,7 +5,7 @@
 import tempfile
 from werkzeug.exceptions import RequestEntityTooLarge
 import logging
-from .pathmanipulation import is_valid_name, is_valid_extension, valid_filename, get_unique_filename
+from .pathmanipulation import is_valid_name, is_valid_extension, valid_filename, get_unique_filename, get_magic_number, is_valid_magic_number
 
 app = Flask(__name__)
 TEMPDIR = tempfile.gettempdir()
@@ -53,17 +53,22 @@ def upload_file():
 
         if request.content_length > max_length:
             return jsonify({"error": "File size exceeds the limit"}), 400
+        
+        if (file is None or not is_valid_name(file.filename)):
+            return jsonify({"error" : "Invalid Filename"}), 400
+        
+        if (file is None or not is_valid_extension(file.filename)):
+            return jsonify({"error" : "Invalid Extension"}), 400
 
         if file and is_valid_name(file.filename) and is_valid_extension(file.filename):
-            filename = valid_filename(file.filename)
-            if filename:
+            if (is_valid_magic_number(file, "pdf") or is_valid_magic_number(file, "png") or is_valid_magic_number(file, "jpg")):
                 unique_filename = get_unique_filename(app.config["UPLOAD_DIRECTORY"], valid_filename(file.filename))
-                file_path = os.path.join(app.config["UPLOAD_DIRECTORY"], unique_filename)
-                file.save(file_path)
-                logger.info(f"File '{unique_filename}' uploaded successfully at {file_path}")
+                safe_file_path = os.path.join(app.config["UPLOAD_DIRECTORY"], unique_filename)
+                file.save(safe_file_path)
+                logger.info(f"File '{unique_filename}' uploaded successfully at {safe_file_path}")
                 return jsonify({"success": "File uploaded successfully"}), 200
             else:
-                return jsonify({"error": "Invalid filename"}), 400
+                return jsonify({"error" : "Invalid File Type"}), 400
         else:
             return jsonify({"error": "Invalid file format"}), 400
     except RequestEntityTooLarge as e: