HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavaModerate

Placing secure data in Java web application

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
placingsecureapplicationjavawebdata

Problem

This post is complementary to this one
I asked the question about implementing DropBox's "Share link" functionality on the server side in the most "secure" way. Of course, real security involves at least password-based authentication, not this "security by obscurity" approach, but the guys from DropBox managed to implement this somehow :)

Here is the code I've written for this task. I would be grateful for any comments and criticism for this small piece of code.

```
package com.test;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
*
* @author Anton P. Kolosov
*/
public class ObscureSecureServlet extends HttpServlet {

private static final Pattern UUID_PATTERN = Pattern.compile("^[A-F0-9]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}$", Pattern.CASE_INSENSITIVE);
private String basePath;

/**
* Initialization routines
* @param config Servlet configuration
* @throws ServletException
*/
public void init(ServletConfig config) throws ServletException {

super.init(config);

basePath = config.getInitParameter("basePath");
}

/**
* Processes requests for both HTTP GET and POST methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String res = request.getParameter("res");

Solution

You check that res must match a specific pattern, but name seems to be free game. What if a user calls this with values like:

  • ../../../../etc/passwd



  • ../../../../../../home/jack/.ssh/id_rsa



  • ...



Avoid concatenating path segments with / separator. Let the two-argument constructor of File do that for you. If you have three path segments then use an intermediary file insurance.

You used try-with-resources nicely in processRequest but not in other places. It would be good to use that technique everywhere when working with closeable resources.

Context

StackExchange Code Review Q#93998, answer score: 10

Revisions (0)

No revisions yet.