Hey Everyone I am using angular 5 and Java 8 for my application. While uploading a file fro front end i want to restrict malicious or junk file upload into my database using Java. Please help me with.
Short of not accepting uploaded files, there is no sure way of doing this.
OK, now having said that, :), sure it is practically needed to accept uploaded files. In this case, 2 primary things that need to be focused on:
Keep the server safe from compromise
Keep the user using the application safe from compromise
To keep the server insulated from compromise, as far as possible (through design) don't accept file uploads that will be internally used by the server e.g. data in CSV format, XML configurations .... instead try to provide an UI to take the data (of course CSV data cannot be taken from UI)
If you have to take uploaded files and do not need to use it on server, Base64 (or other encoding) and keep it on;y to decode and serve up. This ofcourse does not prevent the user from getting compromised through maliciously engineered files.
For this, first you need to know what type of file it is, use content detectors e.g. like Apache Tika. However, first you need to limit your attack surface by accepting only certain type of files (try to limit it to the smallest set as possible). Once you receive a file try to detect its content. By practice, if the content cannot be detected, the file should be rejected.
Once the content is detected, the further analysis and countermeasures are dependent on the format (different formats have different vulnerabilities associated with the popular applications they are accessed with), a case in point is CSV Injection.
As last point, the above does take very considerable investment in the implementation, update and maintenance of the mechanism, security is not free.
Do make a cost benefit analysis of the loss due to compromise versus the cost of the security mechanism.
As a general principal, appropriate level of security needs to be used for appropriate asset value.
Related
I'm planing on using Amazon S3 to store milions of relatively small files (~100kB-2mB). To save on upload time I structured them into directories (tens/hundreds of files per directory), and decided to use TransferManager's uploadDirectory/uploadFileList. However after uploading an individual file I need to perform specific operations on my HDD and DB. Is there any way (preferably implementing observers/listeners) to notify me whenever a specific file has finished uploading or am I cursed with only being able to verify if the entire MultipleFileUpload succeeded?
For whatever it's worth I'm using the Java SDK, however I should be able to adapt a .NET/REST solution to my needs.
Realizing that this isn't exactly what you asked, it's pretty sweet and seems like an appropriate solution...
S3 does have notifications you can configure to alert you when an object has been created or deleted (or if a reduced redundancy object was lost). These can go to SQS, SNS, or Lambda (which could potentially even run the code that updates the database), and of course if you send them to SNS you can then fan them out to multiple destinations.
http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#notification-how-to-event-types-and-destinations
Don't make the mistake, however, of selecting only the upload subtype you assume is being used; use the s3:ObjectCreated:* event unless you have a specific reason not to.
My Android app uses plain text JSON files to store some data. Such files are saved into the private folder of the app, e.g. Android/data/com.example.app/. I would like to know if my app is vulnerable with such kind of files around. Data in those files are not sensible or secret, and they are not processed by JavaScript (they are parsed with JSON Java methods); I am concerned about some malicious JSON code to be injected and mess with my app or the user's device. Is it possible?
Even if the injected code was not malicious it can cause you problems because:
Others can see and alter the file. (At least with rooted devices)
if the content is altered then you are prone have unexpected results while parsing the file.
You would not want your app related data to be altered by others by any means unless you want it to be (but by using Content Providers.)
I hope it makes sense.
By default, data that you store into the private folder is neither accessible by the user nor by other applications. See the documentation on the Android developers website about this: http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
However, as mentioned by SMR, if a device has been rooted this data is available to the user and might be compromised by any apps that the user has given root permission to.
However it's a minority of users that are actually rooted and those that are should more or less know what they've gotten themselves into and what they're actions can do. It's up to you to decide if it's worth some effort to look out for these special cases.
But by default your data should be safe and sound.
If the data is not that much private then you can put those data in the assets folder and you can access the same. If it is not like that then you can keep it inside the applications data folder
For my app I download some resources like images and small mp3 and save them in the external storage (at /mnt/sdcard/Android/data/com.example.packagename/cache for example.
But I don't want that if a user explores that folder finds all the resources in a "common format".
One of my options is to remove the extensions (I know it's easy to guess the file type even if it have not extension but is a basic protection against most users)
I have noticed most of the programs that have their caches at the external storage don't have their cache as raw files.
I wonder if is there any easy way (with some class or something) for "hiding" those files and access them transparently or I must implement my own system
(It is not vital that these files remain hidden but I'd like keep those resources "unknown" unless a user takes a special trouble to see them)
Thanks
You can use ObjectOutputStream, it will save data as binary data, when the user tries to open it, even using Text Editor, it will show corrupted data, and here some sample how to use it Writing objects to file with ObjectOutputStream
I have a web application in GWT and a complementary desktop client also written in Java (so the same solution basically applies to both). In my program users can attach files, then download them later or do whatever. These files are stored as blobs and can be in just about any format. Many of the users that use Excel and Word want to be able to open the file, make changes, then have those changes stored back in the attached file. In other words, need an inline editing of attachments.
Any ideas on how to make this happen? Should I have an 'edit' mode that keeps a file handler while the file is open, and then store that File handler? Some way keeping track of whether the file is changing, or not?
Sorry about the late response. Amol >> I have that going. I want to save directly back to a blob as if it were a filehandle. Thought that was clear in my question.
I have decided that this is almost impossible with a web application without writing some kind of client interface for each and every potential file type - word, excel, pdf, graphics, etc...
This question already has answers here:
How to create my own file extension like .odt or .doc? [closed]
(3 answers)
Closed 8 years ago.
I'm on my way in developing a desktop application using netbeans(Java Dextop Application) and I need to implement my own file format which is specific to that application only. I'm quite uncertain as to how should I go about first.What code should I use so that my java application read that file and open it in a way as I want it to be.
If it's character data, use Reader/Writer. If it's binary data, use InputStream/OutputStream. That's it. They are available in several flavors, like BufferdReader which eases reading a text file line by line and so on.
They're part of the Java IO API. Start learning it here: Java IO tutorial.
By the way, Java at its own really doesn't care about the file extension or format. It's the code logic which you need to write to handle each character or byte of the file according to some file format specification (which you in turn have to writeup first if you'd like to invent one yourself).
I am not sure this directly addresses your question, but since you mentioned a custom file format, it is worth noting that applications launched using Java Web Start can declare a file association. If the user double clicks one of those file types, the file name will be passed to the main(String[]) of the app.
This ability is used in the File Service demo. of the JNLP API - available at my site.
As to the exact format of the file & the best ways to load and save it, there are a large number of possibilities that can be narrowed down with more details of the information it contains.
Choosing a new/existing file extension does not affect your application (or in any case anyone's). It is upto the programmer what files he wants his app to read.
For example, you may consider you can't read a pdf or doc directly as a text file....but that is not because they are written/ stored differently, but because they have headers or characters which your app does not understand. So we might use a plugin or extension which understands those added headers ( or rather the grammar of the pdf /doc file) removes them & lets our app know what text (or anything else) it contains.
So if you wish to incorporate your own extension, & specifically want no other application to be able to read it, just write the text in a way that only your program is able to understand. Though writing a file in binary pretty much ensures that your file is not read directly just by user opening a file, but it is however still possible to read from it, if it is merely collection of raw characters.
If you ask code for hiding a data, I'd say there are plenty of algorithms you might use, which usually get tagged as encryptions cause you are basically trying to lock/hide your stuff. So if you do not really care for the big hulla-bulla, simply trying to keep a file from being directly read & successful attempts to read the file does not cause any harm to your application, write it in binary.