Sha256: c362bc34e552724699545591cf0616a60c6e6b7254f0cef1eaeb3b101a1eb894
Contents?: true
Size: 1.6 KB
Versions: 2
Compression:
Stored size: 1.6 KB
Contents
# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
module Contrast
module Agent
module Protect
module Rule
# Here will be made the match of the user input provided by the
# Agent InputAnalysis.
module UnsafeFileUploadMatcher
EXPLOIT_CHARS = %w[.. ; � < > ~ *].cs__freeze
# Extensions that can be executed on the server side or can be dangerous on the client side:
# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
EXPLOITABLE_EXTENSIONS = %w[.php .exe .rb .jsp .pht .phtml .shtml .asa .cer .asax .swf .xap].cs__freeze
# Match the user input to see if the filename
# contains malicious file extension.
#
# @param input [String] The filename
# extracted from the current request
# @return true | false
def unsafe_match? input
suspicious_chars?(input) || suspicious_extensions?(input)
end
private
# @param input [String] The filename
# extracted from the current request
# @return true | false
def suspicious_chars? input
input.chars.any? { |c| EXPLOIT_CHARS.include? c }
end
# @param input [String] The filename
# extracted from the current request
# @return true | false
def suspicious_extensions? input
EXPLOITABLE_EXTENSIONS.include? File.extname(input).downcase
end
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems