Note
Java was chosen but the ideas behind the proposed code can be applied to other languages.
💻This project provides different utilities methods to apply processing from a security perspective. These code snippet:
- Can be used, as "foundation", to customize the validation to the app context.
- Were implemented in a way to facilitate adding or removal of validations depending on usage context.
- Were centralized into one class to be able to enhance them across time as well as handle missing case/bug.
🔬I uses it, as a sandbox, to create/test/provide remediation code proposals when I perform web assessment or secure code review activities.
Caution
I do not claim (and will never claim) that the proposed code is 100% effective, these are simply practical tests of ideas regarding security issues I have encountered.
📍The project will not be deployed, as an artefact, into the Maven repository or the GitHub Package repository because the code provided is intended to be tailored to the business and technical context of the application.
Note
The tips and code snippets provided enrich the advices provided by the OWASP File Upload Cheat Sheet.
flowchart TB
A[File received] --> B("🔬Call corresponding isXXXSafe() methods")
B --> C{🤔File is safe?}
C -->|No| E[❌File rejected]
C -->|Yes| D("🔬Call sanitizeFile() methods")
D --> F{🤔Exception occur?}
F -->|Yes| E
F -->|No| G[✅File accepted]
📝Code is centralized into the class SecurityUtils.
🧪Unit tests are centralized into the class TestSecurityUtils.
📖Conventions used:
- One utility methods in SecurityUtils class is associated to one unit test methods in TestSecurityUtils class: Both with the same name.
- All tests data are stored into the resources folder of the test area.
- Each utility methods have a single goal and is fully documented in terms of usage as well as Internet references used.
The javadoc of the class SecurityUtils is exposed here.
👨💻The repository can be open directly into Intellij IDEA.
💻Maven command to run all the unit tests:
$ mvn clean test
[INFO] ------------------------------------------------
[INFO] T E S T S
[INFO] ------------------------------------------------
[INFO] Running eu.righettod.TestSecurityUtils
[INFO] Tests run: 8, Failures: 0, Errors: 0, Skipped: 0