EMPT-41: Prevent upload of executable and script files. #54
Conversation
| @@ -345,6 +345,12 @@ public static double getCompressionRatio(double fileByteSize, double maxByteSize | |||
| */ | |||
| public static ContentFamily getContentFamily(String mimeType) { | |||
| ContentFamily contentFamily = ContentFamily.OTHER; | |||
| if (StringUtils.equals(mimeType, "some type")) { | |||
There was a problem hiding this comment.
Unfortunately i haven't been able to get the correct MIME type for all executables.
i think that i could use application/octet-stream according to https://www.lifewire.com/file-extensions-and-mime-types-3469109 but i think it isn't right basing on the iana media types
There was a problem hiding this comment.
@jnsereko maybe take it the other way around. Think of a couple of obviously insecure file types (.js, .exe, .sh, .sql, ... etc) and see what the MIME types are for those guys, and start building an exclusion list that way.
You could probably start with:
application/octet-streamtext/javascript(and its cousins, see here).
There was a problem hiding this comment.
Yes, just denying the upload of aplication/octet-stream and text/javascript would be a big improvement over what we have now (which is no filtering).
Building that initial functionality is the difficult part. Once we have it for one or two mime-types we can always extend it to include others if we need to.
| if (StringUtils.equals(mimeType, "some type")) { | ||
| contentFamily = ContentFamily.EXECUTABLE; | ||
| } | ||
| if (StringUtils.equals(mimeType, "some type")) { |
There was a problem hiding this comment.
Unfortunately i haven't been able to get the correct MIME type for all scripts.
There was a problem hiding this comment.
why not simply check the type you wana exclude here and return the appropriate message
| @@ -12,6 +12,8 @@ | |||
| public class AttachmentsConstants { | |||
|
|
|||
| public static enum ContentFamily { | |||
| EXECUTABLE, | |||
| SCRIPT, | |||
| @@ -345,6 +345,12 @@ public static double getCompressionRatio(double fileByteSize, double maxByteSize | |||
| */ | |||
| public static ContentFamily getContentFamily(String mimeType) { | |||
| ContentFamily contentFamily = ContentFamily.OTHER; | |||
| if (StringUtils.equals(mimeType, "some type")) { | |||
There was a problem hiding this comment.
@jnsereko maybe take it the other way around. Think of a couple of obviously insecure file types (.js, .exe, .sh, .sql, ... etc) and see what the MIME types are for those guys, and start building an exclusion list that way.
You could probably start with:
application/octet-streamtext/javascript(and its cousins, see here).
mks-d
changed the title
| @@ -70,7 +69,9 @@ | |||
| public static final String INSTRUCTIONS_PREFIX = "instructions"; | |||
|
|
|||
| public static final String UNKNOWN_MIME_TYPE = "application/octet-stream"; | |||
|
|
|||
|
|
|||
| public static final String[] EXECUTABLE_MIME_TYPE = {"application/octet-stream", "type/javascript"}; | |||
There was a problem hiding this comment.
public static final List<String> EXECUTABLE_MIME_TYPES = Arrays.asList("application/octet-stream", "type/javascript");(TYPES, plural)
| if (getMimeType(mimeType)) { | ||
| contentFamily = ContentFamily.EXECUTABLE; | ||
| } |
There was a problem hiding this comment.
if (EXECUTABLE_MIME_TYPES.contains(mimeType)) {
contentFamily = ContentFamily.EXECUTABLE;
}There was a problem hiding this comment.
I have implemented suggestions and added tests. Thanks
api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java
Show resolved
Hide resolved
api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java
Show resolved
Hide resolved
|
Thanks @mks-d @isears @sherrif10 @HerbertYiga for reviewing this. I have added mime types for .py files, .jar files, .php files, .sh files, .exe files, .sql files, and visual basic files |
api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java
Outdated
Show resolved
Hide resolved
...1.10/src/test/java/org/openmrs/module/attachments/rest/AttachmentRestController1_10Test.java
Outdated
Show resolved
Hide resolved
omod-1.10/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource1_10.java
Show resolved
Hide resolved
| @@ -69,6 +73,9 @@ | |||
|
|
|||
| public static final String UNKNOWN_MIME_TYPE = "application/octet-stream"; | |||
|
|
|||
| public static final List<String> EXECUTABLE_MIME_TYPES = Arrays.asList("application/vnd.microsoft.portable-executable", | |||
| "text/javascript", "application/javascript", "application/sql", "application/x-sh", "application/java-archive" "application/x-httpd-php","application/x-vbs", "application/x-python-code", "text/vbscript", "text/x-python"); | |||
There was a problem hiding this comment.
It seems like mimetypes can get pretty crazy, but maybe we should add in application/x-ms-installer and application/x-elf as well @jnsereko
There was a problem hiding this comment.
I'd probably drop application/sql from the list. Also, a few additions:
application/x-applescriptapplication/x-rubyapplication/x-perlapplication/wasm
That should cover many of the more common scripting languages (I can't find any even semi-standard MIME Types for batch and ps1 files).
There was a problem hiding this comment.
Hello @ibacher i have removed the application/sql mime type added added more as you suggested. I guess this catch is good for the start.
@mks-d @isears @sherrif10 @dkayiwa
omod-1.10/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource1_10.java
Show resolved
Hide resolved
jnsereko
force-pushed
the
EMPT-41
branch
4 times, most recently
from
49d452c
to
39033f9
Compare
| @@ -439,6 +439,27 @@ public void postAttachment_shouldNotUploadFileAboveSizeLimit() throws Exception | |||
| SimpleObject response = deserialize(handle(request)); | |||
| } | |||
|
|
|||
| @Test(expected = IllegalRequestException.class) | |||
| public void postAttachment_shouldNotUplodExecutbleFile() throws Exception { | |||
There was a problem hiding this comment.
There's a typo here by maybe rename this to postAttachment_shouldThrowOnExecutableFile.
There was a problem hiding this comment.
hey @mks-d I have changed the test method name..
Basing on the discussion we had at https://talk.openmrs.org/t/attachment-functionality-of-openmrs-reference-application-is-vulnerable/33208/7.
this functionality is to prevent upload of an executable or a script in order to prevent vulnerabilities in this module.
I haven't created any ticket for this feature. That is the reason why i haven't attached its link here.
cc @isears @HerbertYiga @sherrif10