Author: rgielen
Date: Fri Jul  5 17:44:09 2013
New Revision: 1500082

URL: http://svn.apache.org/r1500082
Log:
WW-4136 - Demonstrate proper input sanitizing for file download showcase example
- added demo code to prevent input paths containing "WEB-INF"

Added:
    
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/
    
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
Modified:
    
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java

Modified: 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java?rev=1500082&r1=1500081&r2=1500082&view=diff
==============================================================================
--- 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
 (original)
+++ 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
 Fri Jul  5 17:44:09 2013
@@ -39,7 +39,23 @@ public class FileDownloadAction implemen
        }
 
        public void setInputPath(String value) {
-               inputPath = value;
+               inputPath = sanitizeInputPath(value);
+       }
+
+       /**
+        * As the user modifiable parameter inputPath will be used to access 
server side resources, we want the path to be
+        * sanitized - in this case it is demonstrated to disallow inputPath 
parameter values containing "WEB-INF". Consider to
+        * use even stricter rules in production environments.
+        *
+        * @param value the raw parameter input value to sanitize
+        *
+        * @return the sanitized value; <tt>null</tt> if value contains an 
invalid path segment like WEB-INF
+        */
+       String sanitizeInputPath( String value ) {
+               if (value != null && value.toUpperCase().contains("WEB-INF")) {
+                       return null;
+               }
+               return value;
        }
 
        public InputStream getInputStream() throws Exception {

Added: 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java?rev=1500082&view=auto
==============================================================================
--- 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
 (added)
+++ 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java
 Fri Jul  5 17:44:09 2013
@@ -0,0 +1,42 @@
+package org.apache.struts2.showcase.filedownload;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+public class FileDownloadActionTest {
+
+       private FileDownloadAction fileDownloadAction;
+
+       @Before
+       public void setUp() {
+           this.fileDownloadAction = new FileDownloadAction();
+       }
+
+       @Test
+       public void testSanitizeInputPathShouldAllowSimpleParameter() throws 
Exception {
+               assertEquals("foo", 
fileDownloadAction.sanitizeInputPath("foo"));
+       }
+
+       @Test
+       public void testSanitizeInputPathShouldReturnNullForNullInput() throws 
Exception {
+               assertNull(fileDownloadAction.sanitizeInputPath(null));
+       }
+
+       @Test
+       public void testSanitizeInputPathShouldReturnNullForLeadingWebInf() 
throws Exception {
+               assertNull(fileDownloadAction.sanitizeInputPath("WEB-INF/foo"));
+       }
+
+       @Test
+       public void testSanitizeInputPathShouldReturnNullForNonLeadingWebInf() 
throws Exception {
+               
assertNull(fileDownloadAction.sanitizeInputPath("./WEB-INF/foo"));
+       }
+
+       @Test
+       public void 
testSanitizeInputPathShouldReturnNullForNonUppercaseWebInf() throws Exception {
+               
assertNull(fileDownloadAction.sanitizeInputPath("./wEB-Inf/foo"));
+       }
+}


Reply via email to