Validate file content before upload

Question

Validate file content before upload

144 Views Asked by Eduardo Roque At 13 September 2023 at 15:59

I'm developing a web application in Java, and I want to scan files uploaded to it at runtime for any type of injection, whether it's XSS, SQL, or malware. Besides, I have text fields in which users can directly input data, and from there, I generate Excel files. I want to identify if I'm able to execute code on the frontend by defining XSS injections in these fields. Additionally, through injections in Excel files, I can perform actions like opening the command prompt (cmd) on the client's PC that runs the Excel file. Is there any service I can consume to perform this task at runtime?

Original Q&A

There are 1 best solutions below

**Eduardo Roque** · Accepted Answer · 2023-09-26T15:19:22.667000

what I did was:

//PDFValidator.java
public class PdfValidator implements FileValidator {

    @Override
    public void validate(File file)
            throws EncryptedDocumentException, InvalidFormatException, IOException, PossibleXSSException {
        try (FileInputStream fis = new FileInputStream(file)) {
            byte[] contents = new byte[(int) file.length()];
            fis.read(contents);
            pdfJavascriptCodeCheck(contents);
        }
    }

    public static void pdfJavascriptCodeCheck(final byte[] contents) throws PossibleXSSException {
        try (PDDocument document = PDDocument.load(new ByteArrayInputStream(contents))) {
            if (document.getDocumentCatalog().getOpenAction() instanceof PDActionJavaScript) {
                PDActionJavaScript docLevelJS = (PDActionJavaScript) document.getDocumentCatalog().getOpenAction();
                if (null != docLevelJS)
                    throw new PossibleXSSException("error message");
            }
        } catch (IOException e) {
            e.printStackTrace();
        }

    }
}

//ExcelValidator.java
public class ExcelValidator implements FileValidator {

    @Override
    public void validate(File file) throws EncryptedDocumentException, InvalidFormatException, IOException, PossiblePrivilegeScalingException{
        checkPrivilegeScalingAttempting(file);
    }

    private void checkPrivilegeScalingAttempting(File file) throws EncryptedDocumentException, InvalidFormatException, IOException, PossiblePrivilegeScalingException {
        try (FileInputStream fis = new FileInputStream(file); Workbook workbook = WorkbookFactory.create(fis)) {
            for (int i = 0; i < workbook.getNumberOfSheets(); i++) {
                Sheet sheet = workbook.getSheetAt(i);
                checkJavaScriptCodeOnSheet(sheet);
            }
        }
    }
    
    private void checkJavaScriptCodeOnSheet(Sheet sheet) throws PossiblePrivilegeScalingException {
        for (Row row : sheet)
            checkJavaScriptCodeOnRow(row);
    }

    private void checkJavaScriptCodeOnRow(Row row) throws PossiblePrivilegeScalingException {
        for (Cell cell : row)
            if (PrivilegeScalingRegexValidator.isPrivilegeScaling(cell.getStringCellValue()))
                throw new PossiblePrivilegeScalingException("error message2");
    }
    
}

public class PrivilegeScalingRegexValidator {
    final static String regex = "=.*\\|'.*|\\s+/[A-Za-z0-9._-]+(\\s+\\w+)*\\s+";
    
    public static boolean isPrivilegeScaling(final String input) {
        Pattern pattern = Pattern.compile(regex);
        Matcher matcher = pattern.matcher(input);
        return matcher.matches();       
    }
}

I am currently integrating it with an antivirus to be able scan file in execution time.

Validate file content before upload

There are 1 best solutions below

Related Questions in JAVA

Related Questions in WEB-SERVICES

Related Questions in XSS

Related Questions in ANTIVIRUS-INTEGRATION

Trending Questions

Popular # Hahtags

Popular Questions