Site icon Narayana Tutorial

Unauthorized File Upload Vulnerabilities OWASP

Unauthorized File Upload Vulnerabilities OWASP

The application should allow the only specific types of files according to the requirement. And we should not allow unauthorized files into the application. It is possible for an attacker to bypass the current restrictions in place and upload an executable application or script. Bypassing the executable file, attackers can steal the system level sensitive information.

 

Suppose the application should allow the only.jpg, .png, .gif, and restrict the action when other format files will be uploaded.

Image Validation by Image Readers

public static boolean validateImageReader(String imageFilePath) throws Exception {
		File file = new File(imageFilePath);
		ImageInputStream imageInputStream = ImageIO.createImageInputStream(file);
		Iterator<ImageReader> readers = ImageIO.getImageReaders(imageInputStream);
		imageInputStream.flush();
		imageInputStream.close();
		String imageFormatName = "";
		boolean isImage;
		if (!readers.hasNext()) {
			isImage = false;
		} else {
			ImageReader reader = readers.next();
			imageFormatName = reader.getFormatName();
			if ("jpeg".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "jpeg";
			} else if ("png".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "png";
			} else if ("jpg".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "jpg";
			} else if ("gif".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "gif";
			} else {
				isImage = false;
			}
		}

		String mimeType = new MimetypesFileTypeMap().getContentType(file);
		System.out.println("mimeType:" + mimeType);
		System.out.println("Is Image Format: " + isImage);

		System.out.println("Image Format: " + imageFormatName);
		return isImage;
	}

Image MIME Type Validation

public static boolean validateWithImageMiMEType(String filePath) throws Exception {
		//JPEG image    - MimeType:image/jpeg  - Image Extension:jpe
		//JPEG image 	- MimeType:image/jpeg 	- Image Extension:jpeg
		//JPEG image 	- MimeType:image/jpeg 	- Image Extension:jpg
		//TIF image 	- MimeType:image/tiff 	- Image Extension:tif
		//TIF image 	- MimeType:image/tiff 	- Image Extension:tiff
		//Bitmap 		- MimeType:image/bmp 	- Image Extension:bmp
		//GIF 			- MimeType:image/gif 	- Image Extension:gif
		
		boolean isImage=false;
		String mimeType = new MimetypesFileTypeMap().getContentType(new File(filePath));
		
		if(mimeType.equalsIgnoreCase("image/jpeg ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/jpeg ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/tiff ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/bmp ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/gif ")) {
			isImage=true;
		}else {
			isImage=false;
		}
	return isImage;
	}

 

Complete Source Code – ImageValidation .java

package com.narayanatutorial;

import java.io.File;

import java.util.Iterator;

import javax.activation.MimetypesFileTypeMap;
import javax.imageio.ImageIO;

import javax.imageio.ImageReader;

import javax.imageio.metadata.IIOMetadata;

import javax.imageio.stream.ImageInputStream;

public class ImageValidation {

	public static void main(String[] args) {

		try {
			String imageFilePath="D:/Sample.jpg";
			boolean flag = validateImageReader(imageFilePath);
			if (flag) {
				System.out.println("Valid Image");
			} else {
				System.out.println("InValid Image");
			}
			
			//validateWithImageMiMEType
			
			flag = validateWithImageMiMEType(imageFilePath);
			if (flag) {
				System.out.println("Valid Image");
			} else {
				System.out.println("InValid Image");
			}

		} catch (Exception e) {

			e.printStackTrace();
		}
	}

	public static boolean validateImageReader(String imageFilePath) throws Exception {
		File file = new File(imageFilePath);
		ImageInputStream imageInputStream = ImageIO.createImageInputStream(file);
		Iterator<ImageReader> readers = ImageIO.getImageReaders(imageInputStream);
		imageInputStream.flush();
		imageInputStream.close();
		String imageFormatName = "";
		boolean isImage;
		if (!readers.hasNext()) {
			isImage = false;
		} else {
			ImageReader reader = readers.next();
			imageFormatName = reader.getFormatName();
			if ("jpeg".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "jpeg";
			} else if ("png".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "png";
			} else if ("jpg".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "jpg";
			} else if ("gif".equalsIgnoreCase(reader.getFormatName())) {
				isImage = true;
				imageFormatName = "gif";
			} else {
				isImage = false;
			}
		}

		String mimeType = new MimetypesFileTypeMap().getContentType(file);
		System.out.println("mimeType:" + mimeType);
		System.out.println("Is Image Format: " + isImage);

		System.out.println("Image Format: " + imageFormatName);
		return isImage;
	}
	
	public static boolean validateWithImageMiMEType(String filePath) throws Exception {
		//JPEG image    - MimeType:image/jpeg  - Image Extension:jpe
		//JPEG image 	- MimeType:image/jpeg 	- Image Extension:jpeg
		//JPEG image 	- MimeType:image/jpeg 	- Image Extension:jpg
		//TIF image 	- MimeType:image/tiff 	- Image Extension:tif
		//TIF image 	- MimeType:image/tiff 	- Image Extension:tiff
		//Bitmap 		- MimeType:image/bmp 	- Image Extension:bmp
		//GIF 			- MimeType:image/gif 	- Image Extension:gif
		
		boolean isImage=false;
		String mimeType = new MimetypesFileTypeMap().getContentType(new File(filePath));
		
		if(mimeType.equalsIgnoreCase("image/jpeg ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/jpeg ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/tiff ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/bmp ")) {
			isImage=true;
		}else if(mimeType.equalsIgnoreCase("image/gif ")) {
			isImage=true;
		}else {
			isImage=false;
		}
	return isImage;
	}
}

 

How To Validate URL Image

You can validate the Image URL either the URL contains the Image or not. If not we can restrict the URL.

URLImageValidation.java

package com.narayanatutorial;

import java.awt.Image;
import java.awt.image.BufferedImage;
import java.io.IOException;
import java.net.URL;
import javax.imageio.ImageIO;

public class URLImageValidation {

	public static void main(String[] args) {
		//enter image url
		String urlPath = "https://<host-name>/logo2.png";
		boolean flag = validateURLImage(urlPath);
		System.out.println("isImage:" + flag);

	}
	
	public static boolean validateURLImage(String urlPath) {
		boolean flag = false;
		Image image = null;
		try {
			URL url = new URL(urlPath);
			image = ImageIO.read(url);
			System.out.println("image:" + image);
			if (null == image) {
				System.out.println("not valid Image");
				flag = false;
			} else {
				System.out.println("valid Image");
				flag = true;
			}
		} catch (IOException e) {
			System.out.println(e.getMessage());
			e.printStackTrace();
			flag = false;
		} catch (Exception e) {
			e.printStackTrace();
			flag = false;
		}
		return flag;
	}

	
}