mirror of
https://github.com/github/codeql.git
synced 2025-12-18 09:43:15 +01:00
246 lines
7.1 KiB
Java
246 lines
7.1 KiB
Java
import java.io.FileInputStream;
|
|
import java.io.FileNotFoundException;
|
|
import java.io.FileOutputStream;
|
|
import java.io.OutputStream;
|
|
import java.io.IOException;
|
|
import java.io.File;
|
|
import java.nio.file.Path;
|
|
import java.nio.file.Paths;
|
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
import javax.servlet.http.HttpSession;
|
|
|
|
import com.jfinal.core.Controller;
|
|
|
|
public class FilePathInjection extends Controller {
|
|
private static final String BASE_PATH = "/pages";
|
|
|
|
// BAD: Upload file to user specified path without validation
|
|
public void uploadFile() throws IOException {
|
|
String savePath = getPara("dir");
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + savePath;
|
|
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
|
|
// GOOD: Upload file to user specified path with path normalization and validation
|
|
public void uploadFile2() throws IOException {
|
|
String savePath = getPara("dir");
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + savePath;
|
|
Path path = Paths.get(finalFilePath).normalize();
|
|
|
|
if (path.startsWith(BASE_PATH)) {
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(path.toFile());
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
}
|
|
|
|
// BAD: Upload file to user specified path without validation through session attribute
|
|
public void uploadFile3() throws IOException {
|
|
String savePath = getPara("dir");
|
|
setSessionAttr("uploadDir", savePath);
|
|
String sessionUploadDir = getSessionAttr("uploadDir");
|
|
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + sessionUploadDir;
|
|
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
|
|
// BAD: Upload file to user specified path without validation through request attribute
|
|
public void uploadFile4() throws IOException {
|
|
String savePath = getPara("dir");
|
|
setAttr("uploadDir2", savePath);
|
|
String requestUploadDir = getAttr("uploadDir2");
|
|
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + requestUploadDir;
|
|
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
|
|
// BAD: Upload file to user specified path without validation through session object (not detected)
|
|
public void uploadFile5() throws IOException {
|
|
String savePath = getPara("dir");
|
|
getSession().setAttribute("uploadDir3", savePath);
|
|
String sessionUploadDir = getSessionAttr("uploadDir3");
|
|
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + sessionUploadDir;
|
|
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
|
|
// GOOD: Upload file to a system path from a request object
|
|
public void uploadFile6() throws IOException {
|
|
setAttr("uploadDir4", "/data/upload_dir/");
|
|
String requestUploadDir = getAttr("uploadDir4");
|
|
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + requestUploadDir;
|
|
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
|
|
// GOOD: Upload file to a system path from a request object
|
|
public void uploadFile7() throws IOException {
|
|
String savePath = getPara("dir");
|
|
setAttr("uploadDir5", savePath);
|
|
setAttr("realUploadDir", "/data/upload_dir/");
|
|
String requestUploadDir = getAttr("realUploadDir5");
|
|
|
|
File file = getFile("fileParam").getFile();
|
|
String finalFilePath = BASE_PATH + requestUploadDir;
|
|
|
|
FileInputStream fis = new FileInputStream(file);
|
|
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
|
int i = 0;
|
|
|
|
do {
|
|
byte[] buf = new byte[1024];
|
|
i = fis.read(buf);
|
|
fos.write(buf);
|
|
} while (i != -1);
|
|
|
|
fis.close();
|
|
fos.close();
|
|
}
|
|
|
|
private void readFile(HttpServletResponse resp, File file) {
|
|
OutputStream os = null;
|
|
FileInputStream fis = null;
|
|
try {
|
|
os = resp.getOutputStream();
|
|
fis = new FileInputStream(file);
|
|
byte fileContent[] = new byte[(int) file.length()];
|
|
fis.read(fileContent);
|
|
os.write(fileContent);
|
|
} catch (Exception e) {
|
|
System.err.println("Invalid directory or file " + file.getName());
|
|
} finally {
|
|
try {
|
|
if (os != null)
|
|
os.close();
|
|
} catch (Exception e2) {
|
|
}
|
|
try {
|
|
if (fis != null)
|
|
fis.close();
|
|
} catch (Exception e2) {
|
|
}
|
|
}
|
|
}
|
|
|
|
// BAD: Download file to user specified path without validation
|
|
public void downloadFile() throws FileNotFoundException, IOException {
|
|
HttpServletRequest request = getRequest();
|
|
String path = request.getParameter("path");
|
|
String filePath = BASE_PATH + path;
|
|
|
|
HttpServletResponse resp = getResponse();
|
|
File file = new File(filePath);
|
|
if (path != null && file.exists()) {
|
|
resp.setHeader("Content-type", "application/force-download");
|
|
resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
|
|
resp.setHeader("Content-Transfer-Encoding", "Binary");
|
|
resp.setHeader("Content-length", "" + file.length());
|
|
resp.setHeader("Content-Type", "application/octet-stream");
|
|
resp.setHeader("Content-Disposition", "attachment; filename=\"" + file.getName() + "\"");
|
|
readFile(resp, file);
|
|
} else {
|
|
System.err.println("File does not exist " + path);
|
|
}
|
|
}
|
|
|
|
// GOOD: Download file with path validation
|
|
public void downloadFile2() throws FileNotFoundException, IOException {
|
|
HttpServletRequest request = getRequest();
|
|
String path = request.getParameter("path");
|
|
String filePath = BASE_PATH + path;
|
|
|
|
HttpServletResponse resp = getResponse();
|
|
if (!filePath.contains("..") && filePath.startsWith(BASE_PATH)) {
|
|
File file = new File(filePath);
|
|
if (file.exists()) {
|
|
resp.setHeader("Content-type", "application/force-download");
|
|
resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
|
|
resp.setHeader("Content-Transfer-Encoding", "Binary");
|
|
resp.setHeader("Content-length", "" + file.length());
|
|
resp.setHeader("Content-Type", "application/octet-stream");
|
|
resp.setHeader("Content-Disposition", "attachment; filename=\"" + file.getName() + "\"");
|
|
readFile(resp, file);
|
|
} else {
|
|
System.err.println("File does not exist " + path);
|
|
}
|
|
}
|
|
}
|
|
}
|