Page 2: Java Libraries located at the End of CWE-22

More Java Libraries and Tools can help, CWE-22-Schwachstellen to prevent, indem of robust Eingavalidierung, Pfadnormalisierung and Security mechanisms – the following information:

Apache Commons IO

Apache Commons IO offers an overview of service programs for the Arbeit with the datum system, it is free, a Path-Traversal-Schwachstellen to hinder.

That class DateinameUtils enthält Methods for normalizing and validating data fades.

  import org.apache.commons.io.FilenameUtils;

  String basePath = "/var/www/uploads/";
  String fileName = FilenameUtils.normalize(request.getParameter("file"));

  if (!FilenameUtils.directoryContains(basePath, basePath + fileName)) {
      throw new SecurityException("Attempted path traversal attack detected");
  }

OWASP Java encoder

The OWASP-Java-Encoder-Bibliothek does not offer any additional information or instructions regarding the protection of the injection procedures, so that the procedure is carried out.

Encoder: Bietetet Methoden zum sicheren Kodieren von Utilzereingaben für verschiedene Kontexte, eeninschließlich Dateinamen.

  import org.owasp.encoder.Encode;

  String safeFileName = Encode.forJava(request.getParameter("file"));

Apache Shiro

Apache Shiro is a leistungsstarkes Securityframework, which is robust Zugriffscontrol mechanisms used by setting Dateizugriffsrichtlinien.

Berechtigungen: Mit Shiro lassen sich fein abgestimmte Zugriffscontrolrichtlinien für de Dateizugriff definien.

  // Define file access permissions in Shiro configuration
  (urls)
  /var/www/uploads/** = authc, perms("file:read")

Spring security

If you use a Spring Security security framework, it is important that Spring-Anwendungen integrates less authentication and authorization mechanisms.

Corridor Control: Spring Security can be configured to provide strict controls on data resources.

  @PreAuthorize("hasPermission(#filePath, 'read')")
  public void readFile(Path filePath) {
      // read file logic
  }

Apache Tika

Apache Tika is a library of data and additional information about metadata and contents of various data types. You can use a service program with date blur.

Tika IOUtils: Hilfsmethods voor sechere dateioperationen.

  import org.apache.tika.io.IOUtils;

  String safeFileName = IOUtils.toString(
                                             request.getParameter("file"), 
                                             StandardCharsets.UTF_8);

OWASP Enterprise Security API (ESAPI)

The OWASP-ESAPI library offers an overview of the data and its control, a service program for date processing, which can help you, Path-Traversal-Angriffe zu verhindern.

Validator: Spoiled If you use ESAPI’s Validator, you need to validate a date.

  import org.owasp.esapi.ESAPI;
  import org.owasp.esapi.Validator;

  Validator validator = ESAPI.validator();
  String safeFileName = validator.getValidInput("file name", 
                                                                                  request.getParameter("file"), 
                                                                                "Filename", 255, false);

Java NIO (new I/O)

Java NIO provides modern APIs for dating operations, easy manipulation and validation.

Pfad en Datien: Verwenden Sie java.nio.file.Path and java.nio.file.Files for more date history.

  import java.nio.file.Path;
  import java.nio.file.Paths;
  import java.nio.file.Files;

  Path basePath = Paths.get("/var/www/uploads/");
  Path filePath = basePath.resolve(request.getParameter("file")).normalize();

  if (!filePath.startsWith(basePath)) {
      throw new SecurityException("Attempted path traversal attack detected");
  }

  if (Files.exists(filePath)) {
      // read file logic
  }

Sleep Validator

The Hibernate Validator, the reference implementation of the Bean Validation API, serves, among other things, Validierungsinschränkungen for Benutzereingaben Durchzusetzen.

Useful definitions: Define the use of definitions Validierungseinschrefinders for data names.

 import javax.validation.constraints.Pattern;

  public class FileRequest {
      @Pattern(regexp = "(a-zA-Z0-9._-)+")
      private String fileName;

      // getters and setters
  }

The Java Libraries and Tools are robust mechanisms for avoiding CWE-22-Schwachstellen (Path Traversal). With these libraries man can be sure, that the Benutzereingaben validiert, Pfade normalisiert und Zugriffskontstromen become strict during the duration. The multiple analysis of the risks is an unintentional date choice and the high level of Java applications.

What CVEs based on CWE-22?

Based on CWE-22 – a description of a number of pfad names on a eingeschränktes Verzeichnis (Path Traversal) – could contain more Common Vulnerabilities and Exposures (CVEs) in their Java login messages. You can view the real searches and configurations of Path-Traversal-Schwachstellen in various Java base systems and library systems.

CVE-2020-9484

Description: Apache Tomcat HTTP/2 request for smuggling and path traversal.
Affected versions: Apache Tomcat 9.0.0.M1 to 9.0.35, 8.5.0 to 8.5.55, and 7.0.0 to 7.0.104.
Einzelheiten: This Security Lücke is light and a frightening, with a special shape Anfrage and belie large Speicherorte hochzuload. The problem with the unedited representation of Benutzereingaben in Datei-Upload-Pfaden together, was a Schwachstelle at Pfaddurchlauf führte.
Damage Limitation: Update If you use the new versions of Apache Tomcat, the patch for this Schwachstelle will open.

CVE-2019-0232

Description: Apache Tomcat Remote codeauhrung on CGI servlet.
Affected versions: Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93.
Einzelheiten: This CVE is on the route with a Path-Traversal-Schwachstelle, which is a problem, during the manipulation of the CGI servlet configuration an external code is executed.
Damage Limitation: Disable the CGI servlet, if it is no longer available, or if you upgrade to a version, the Schwachstelle will run.

CVE-2018-11784

Description: Apache Tomcat
Affected versions: 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90
Einzelheiten: Wenn das Standard-Servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 und 7.0.23 tot 7.0.90 een Umleitung z uinem Verzeichnis zurückgab (z. B. eine If you use “/foo/”, the user “/foo” can first use a special shaped URL that is used, a page with a generated URI that you generate.
Damage Limitation: Update If you use the new versions of Apache Tomcat, the patch for this Schwachstelle will open.

These CVEs are in German, wie de Maßnahmen zum Beheben von CWE-22-Schwachstellen in Java-Anwendungen sind. The regular operation of libraries, frameworks and application codes is one of the separate bedeutungen, one of the Auswirkungen that the Schwachs propose to minimize. Discover the best practices for validating, normalizing and robustening Security Configurations, a Schutz for Path-Traversal-Angriffen of gewährleisten.

Have fun coding
Sven

(card)

What CVEs based on CWE-22?

Related Posts

Clearside Biomedical Announces Completion of Final Participant Visit in ODYSSEY Phase 2b Trial of CLS-AX in Wet AMD Page 1

Meet Texas Football: Former Ohio State QB, 1,700-Pound Mascot

Action Movie (F/J/CZ/GB/USA 2019) ORF 1