Author: rgielen Date: Fri Jul 5 17:44:09 2013 New Revision: 1500082 URL: http://svn.apache.org/r1500082 Log: WW-4136 - Demonstrate proper input sanitizing for file download showcase example - added demo code to prevent input paths containing "WEB-INF"
Added: struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/ struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java Modified: struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java Modified: struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java?rev=1500082&r1=1500081&r2=1500082&view=diff ============================================================================== --- struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java (original) +++ struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java Fri Jul 5 17:44:09 2013 @@ -39,7 +39,23 @@ public class FileDownloadAction implemen } public void setInputPath(String value) { - inputPath = value; + inputPath = sanitizeInputPath(value); + } + + /** + * As the user modifiable parameter inputPath will be used to access server side resources, we want the path to be + * sanitized - in this case it is demonstrated to disallow inputPath parameter values containing "WEB-INF". Consider to + * use even stricter rules in production environments. + * + * @param value the raw parameter input value to sanitize + * + * @return the sanitized value; <tt>null</tt> if value contains an invalid path segment like WEB-INF + */ + String sanitizeInputPath( String value ) { + if (value != null && value.toUpperCase().contains("WEB-INF")) { + return null; + } + return value; } public InputStream getInputStream() throws Exception { Added: struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java URL: http://svn.apache.org/viewvc/struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java?rev=1500082&view=auto ============================================================================== --- struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java (added) +++ struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/FileDownloadActionTest.java Fri Jul 5 17:44:09 2013 @@ -0,0 +1,42 @@ +package org.apache.struts2.showcase.filedownload; + +import org.junit.Before; +import org.junit.Test; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertNull; + +public class FileDownloadActionTest { + + private FileDownloadAction fileDownloadAction; + + @Before + public void setUp() { + this.fileDownloadAction = new FileDownloadAction(); + } + + @Test + public void testSanitizeInputPathShouldAllowSimpleParameter() throws Exception { + assertEquals("foo", fileDownloadAction.sanitizeInputPath("foo")); + } + + @Test + public void testSanitizeInputPathShouldReturnNullForNullInput() throws Exception { + assertNull(fileDownloadAction.sanitizeInputPath(null)); + } + + @Test + public void testSanitizeInputPathShouldReturnNullForLeadingWebInf() throws Exception { + assertNull(fileDownloadAction.sanitizeInputPath("WEB-INF/foo")); + } + + @Test + public void testSanitizeInputPathShouldReturnNullForNonLeadingWebInf() throws Exception { + assertNull(fileDownloadAction.sanitizeInputPath("./WEB-INF/foo")); + } + + @Test + public void testSanitizeInputPathShouldReturnNullForNonUppercaseWebInf() throws Exception { + assertNull(fileDownloadAction.sanitizeInputPath("./wEB-Inf/foo")); + } +}