Header Manipulation issue with HP Fortify in HTTP response [java]
Question
I'm trying to fix a "Header Manipulation" issue returned bu HP Fortify Scan for this code. I don't know if files are already validated during upload (I think not). I tried to use a RegEx to validate filename with no success. Anyone can help me?
b = uploadedFiles.getFilecontent().getBytes(1,
uploadedFiles.getFilesize().intValue());
if (b != null) {
response.reset();
String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
What I tried:
String fileName = uploadedFiles.getFilename();
String regex = "[a-zA-Z._ ]*";
if (b != null && fileName.matches(regex)) {
response.reset();
// String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setHeader("Content-Disposition", header);
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
4 answers
solution1
0 2017-01-01 17:48:21
You should use a method to filter the sensitive info in
response.setHeader("Content-Disposition", header)
Just using
fileName.matches(regex)
is too simple.
solution2
0 2018-09-28 09:51:16
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
First of all, you could fix a redundancy here. Secondly, the problem may come from the fact that you don't try to validate content-type. What if the content-type had been altered and didn't match the file really is ? Each user input should be sanitized and/or compared to a white list of contents that you actually expect.
EDIT : idem for the filename . Sanitize this field
solution3
0 2021-03-01 08:58:55
You can use this method to validate headers value in this case filename
//Header manipulation
public static String validateHeaders(String header) throws UnsupportedEncodingException{
String filename = new String(header.getBytes("UTF-8"), "ISO-8859-1");
String regex = "[`~!@#$%^&*()\\+\\=\\{}|:\"?><\\/r\\/n]";
Pattern pa = Pattern.compile(regex);
Matcher ma = pa.matcher(filename);
if(ma.find()){
filename = ma.replaceAll("");
}
return filename;
}
String header = "attachment; filename="" + validateHeaders(fileName) + """;
solution4
0 2022-06-08 16:28:14
By using RestTemplate and using HttpHeader for the Authorization header below code is able to resolve the Header Manipulation issue.
import org.apache.commons.lang3.StringUtils;
RestTemplate restTemplate = new RestTemplate();
HttpHeaders headersNew = new HttpHeaders();
//Below 2 Line solve the problem
String sanitizedToken = StringUtils.normalizeSpace(yourJwtToken);
headersNew.setBearerAuth(sanitizedToken); //This line where fortify reporting issue earlier
String url ="Your url";
HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(null, headersNew);
ResponseEntity<Object> response =
restTemplate.exchange(url,
HttpMethod.GET,
entity,
Object.class);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.