Insecure file upload - Files Limit - Java

Insecure file upload - Files Limit - Java

Need

Enforce file upload limits and implement proper file management

Context

  • Usage of Java 8 for developing applications with enhanced features and performance
  • Usage of javax.servlet-api for building Java web applications with Servlets

Description

Non compliant code

        import javax.servlet.http.*;
import javax.servlet.*;
import java.io.*;

public class FileUploadServlet extends HttpServlet {
    public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        Part filePart = request.getPart("file"); // Retrieves 
        String fileName = Paths.get(filePart.getSubmittedFileName()).getFileName().toString(); // MSIE fix.
        InputStream fileContent = filePart.getInputStream();

        byte[] buffer = new byte[fileContent.available()];
        fileContent.read(buffer);

        File targetFile = new File("/uploads/" + fileName);
        OutputStream outStream = new FileOutputStream(targetFile);
        outStream.write(buffer);

        outStream.close();
    }
}
        
        

The above code is a simple servlet that handles file uploads. When a POST request is made to this servlet with a file included in the request, the servlet will save that file to the /uploads directory on the server.

The vulnerability lies in the fact that there is no limit to the number of files that can be uploaded. The doPost method will accept any number of requests and save the files to the server without any checks for the number of files or the total size of all uploaded files.

Additionally, if a file is uploaded with the same name as an existing file in the /uploads directory, the existing file will not be deleted or replaced. Instead, the new file will simply be added to the directory alongside the existing file, potentially causing confusion or data loss.

This lack of limitation and control over file uploads can lead to various problems, such as filling up the server's storage space or allowing an attacker to upload malicious files.

Steps

  • Implement a limit on the number of files that can be uploaded per unit of time.
  • Delete the previous file from the server before uploading a new one.
  • Validate the file type and enforce restrictions on allowed file types.
  • Sanitize the file name to prevent directory traversal attacks.
  • Store the uploaded files in a secure location outside of the web root directory.
  • Implement proper access controls to restrict unauthorized access to the uploaded files.

Compliant code

        import javax.servlet.http.*;
import javax.servlet.*;
import java.io.*;
import java.nio.file.*;
import java.util.concurrent.*;

public class FileUploadServlet extends HttpServlet {
    private static final int MAX_UPLOADS_PER_UNIT_TIME = 10; // Define your limit
    private static final long TIME_UNIT_IN_MS = 60000; // Define your time unit (here it's 1 minute)
    private static final ConcurrentMap uploadCounts = new ConcurrentHashMap<>();

    public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        String userIP = request.getRemoteAddr();
        Integer userUploadCount = uploadCounts.getOrDefault(userIP, 0);

        if (userUploadCount >= MAX_UPLOADS_PER_UNIT_TIME) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Upload limit exceeded");
            return;
        }

        Part filePart = request.getPart("file");
        String fileName = Paths.get(filePart.getSubmittedFileName()).getFileName().toString();

        // Sanitize the file name
        fileName = fileName.replaceAll("[^a-zA-Z0-9\\\\.\\\\-]", "_");

        // Validate the file type
        String fileType = getServletContext().getMimeType(fileName);
        if (!"image/jpeg".equals(fileType) && !"image/png".equals(fileType)) {
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid file type");
            return;
        }

        // Delete the previous file
        File previousFile = new File("/secure_uploads/" + fileName);
        if (previousFile.exists()) {
            previousFile.delete();
        }

        // Write the new file
        InputStream fileContent = filePart.getInputStream();
        byte[] buffer = new byte[fileContent.available()];
        fileContent.read(buffer);

        File targetFile = new File("/secure_uploads/" + fileName);
        OutputStream outStream = new FileOutputStream(targetFile);
        outStream.write(buffer);

        outStream.close();

        // Update the upload count
        uploadCounts.put(userIP, userUploadCount + 1);

        // Schedule a task to reset the upload count after the time unit
        Executors.newSingleThreadScheduledExecutor().schedule(() -> {
            uploadCounts.remove(userIP);
        }, TIME_UNIT_IN_MS, TimeUnit.MILLISECONDS);
    }
}
        
        

The fixed code now includes a limit on the number of files that can be uploaded per unit of time. This is achieved by maintaining a ConcurrentHashMap that maps user IPs to their respective upload counts. If a user tries to upload more than the defined limit ( MAX_UPLOADS_PER_UNIT_TIME) within the defined time unit ( TIME_UNIT_IN_MS), the server responds with a 403 Forbidden error.

Before a new file is uploaded, the previous file with the same name is deleted from the server. This is done by checking if a file with the same name exists in the upload directory and deleting it if it does.

The file name is sanitized to prevent directory traversal attacks. This is done by replacing all characters that are not alphanumeric, dot, or hyphen with an underscore.

The file type is validated to ensure that only JPEG and PNG images can be uploaded. This is done by checking the MIME type of the file against a list of allowed MIME types.

The uploaded files are stored in a secure location ( /secure_uploads/) outside of the web root directory.

Finally, a task is scheduled to reset the upload count for the user IP after the time unit. This is done using a ScheduledExecutorService that removes the user IP from the uploadCounts map after the defined time unit.

References