2020-06-30 12:48:07 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
|
|
|
|
|
|
|
|
|
|
if (ServletFileUpload.isMultipartContent(request)) {
|
|
|
|
|
|
|
|
|
|
FileItemFactory factory = new DiskFileItemFactory();
|
|
|
|
|
ServletFileUpload upload = new ServletFileUpload(factory); // Noncompliant
|
|
|
|
|
// ...
|
|
|
|
|
----
|
|
|
|
|
|
2021-02-17 12:23:45 +01:00
|
|
|
== See
|
|
|
|
|
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/434[CWE-434] - Unrestricted Upload of File with Dangerous Type
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/400.html[CWE-400] - Uncontrolled Resource Consumption
|
|
|
|
|
* https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References[OWASP Top 10 2017 Category A4] - Insecure Direct Object References
|
|
|
|
|
* https://www.owasp.org/index.php/Unrestricted_File_Upload[OWASP Unrestricted File Upload] - Unrestricted File Upload
|
|
|
|
|
* https://wiki.sei.cmu.edu/confluence/display/java/IDS56-J.+Prevent+arbitrary+file+upload[CERT, IDS56-J.] - Prevent arbitrary file upload
|
|
|
|
|
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
