I've got a web server with java on which can be uploaded doc/docx and xls/xlsx files. There's a possibility that they can contain viruses as an attachement, maybe some *.exe or *.com file. How can I check that they don't?
Related
I've a project in netbeans which my employer wants me to add a bulk file upload.
The requirement was ,the user will put a csv file and some images in a folder in client side. on the file upload page he will choose the csv file and i have to upload the images in the folder along with the csv.
After a short research i found that the client side file location and details can't be accessed from the server side so instead of uploading a single file and the contents in the folder which it belong, the user will zip all the files and upload the zip file .
Now i'm conserned about the security risks of uploading a zip file.
What all are the measures should i take to prevent the upload of malecious scripts and files along with the zip?
Is it possible to validate the file content before it reach the server ?
Is it possible to validate it securely even after it reached the server side ?
1.- scan the zip files once they arrive at the server.
2.- unlikely. even if you use Javascript as front-end, it doesn't have access to the users file system.
3.- yes, for example with "clamav", but notice that no antivirus is 100% effective.
the steps are:
install clamav
configure clamav to update periodically its virus database
schedule a cron job that continuously scans all files that are in certain directory (the directory where you upload the users files)
delete files that contain viruses
for example:
# dnf install -y clamav
# dnf install -y clamav-update
$ clamscan java_error_in_IDEA_6451.log.zip
LibClamAV Warning: **************************************************
LibClamAV Warning: * The virus database is older than 7 days!
LibClamAV Warning: Please update it as soon as possible. *
LibClamAV Warning: **************************************************
java_error_in_IDEA_6451.log.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 4490129
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.37 MB
Data read: 0.03 MB (ratio 13.43:1)
Time: 6.239 sec (0 m 6 s)
Antivirus is optional. Everything you need here is to validate and safely extract files from archive to your server storage. I don't recommend to use system utilities for this (zip, etc.). It's better to take some library for working with zip archives and write code for its processing.
Here's possible algorithm for validating files in archive. You should iterate through every file and check if:
File size is too big.
Filename is too long.
Directory structure is too big.
Filename includes ../.
File extension is not in white list.
File has attributes of symlink.
Other rules.
If something is true for your current file, then it's better to stop processing of such archive and show error for client.
When you've checked everything, then you can start to extract files. From this moment you can try to validate content of file using file or exif tools.
Also, you can require archives with some special structure. For example, all images must be in images folder, archive must have only 1 level of folders and so on.
I am using Jmeter2.12 in Linux fedora OS and recording using firefox37 browser.
In this environment setting, How can I Upload video file while recording in Jmeter?
Thanks,
Vairamuthu.
JMeter proxy is capable of recording file upload events, all you need is to put your video file under /bin folder of your JMeter installation.
See the relevant chapter of the HTTP(S) Test Script Recorder (was: HTTP Proxy Server ) User Manual entry
Uploading files
Some browsers (e.g. Firefox and Opera) don't include the full name of a file when uploading files. This can cause the JMeter proxy server to fail. One solution is to ensure that any files to be uploaded are in the JMeter working directory, either by copying the files there or by starting JMeter in the directory containing the files.
For more information on simulating file upload and download events in your JMeter test check out Performance testing: Upload and Download Scenarios with Apache JMeter article.
I have a dynamic web project where I have login and register user and I am using POI to read and write the details in an excel file.
I want to deploy this project as WAR file on tomcat.
But the issue here is Tomcat is not able to find the excel file's path.
So where should I place the excel file.
Right approach would be to
Make a directory on your OS outside of the tomcat.
Write a startup servlet which will check if the directory already exists.
If the directory exists, go ahead and create the excel file into that directory, instead of keeping an already build file, that way you make sure that the excel file is not tampered by any developer accidentally and is only constructed by the application.
I have a web app. packaged as a jar file and served by Java Web Start using jnlp. When the user runs my program, it generates an excel file, which is to be shown by a web page within the same app.
The question is: where should my java class write the excel file so that the web page is able to locate/serve it? Obviously, web page can read from within the web app only (sandbox). But the only handle that I can get to the jnlp downloaded app is the jar file (which is not modifiable at runtime) and not EXPLODED jar file contents. If I am able to locate and write to the exploded jar file contents, I can write my excel file there to be picked up by the web page.
Any help? Any alternatives?
..where should my java class write the excel file so that the web page is able to locate/serve it?
Write it to a sub-directory of user.home. Either that or to the temp.dir (spelling?).
Either of those apps. should be writable be a Java app. without special permissions (e.g. running as root).
I'm new to Cloudbees. I just opened an account and trying to upload a .JAR file which basically downloads a file to the location mentioned by user (through java command line arguments). So far I have run the .JAR in my local. So far, I was referring to my local file system to save the file. If I deploy my .JAR file to Cloudbees SDK, where can I save the downloaded file (and then process it).
NOTE: I know this is not a new requirement in java if we deploy the jar in UNIX/WINDOWS OS where we can refer the file system w.r.t to home directory.
Edit#1:
I've seen couple of discussions about the same topic.
link#1
link#2
Everywhere they are talking about the ephemeral (temporary) file system which we can access through System.getProperty("java.io.tempDir"). But I'm getting null when I access java.io.tempDir. Did anyone manage to save files temporarily using this tempDir?
You can upload a jar with the java stack specifying the class and classpath (http://developer.cloudbees.com/bin/view/RUN/Java+Container)
Our filesystem however is not persistent, so if you are talking about saving a file from within your application, you could save it in this path
System.getProperty("java.io.tmpdir")
but it will be gone when your application hibernates, scales-up/down or is redeployed.
If you want a persistent way to store file/images, you can use AmazonS3 from your cloudbees application: uploading your files there will ensure their persistence.
You can find an example of how to do that in this clickstart:
http://developer-blog.cloudbees.com/search?q=amazon+s3
More information here: https://wiki.cloudbees.com/bin/view/RUN/File+system+access