0

I have a requirement to upload files using my Java - Spring web application.

While uploading files the web application, I need to check for the type of file to be uploaded. As per my requirement I need allow Zipped files to be uploaded.

To deal with the security concerns, the zip file should be screened for executable files or unwanted file types, if I have a list of malicious file types.

Kindly suggest how can i know the content type of files in a zip, using java.

manoj
  • 3,391
  • 2
  • 20
  • 30
  • possible duplicate of [link]http://stackoverflow.com/questions/14778980/how-to-read-content-of-the-zipped-file-without-extracting-in-java[/link] – swapedoc Jul 23 '15 at 13:23
  • @swapedoc checked the link, but the answer is not helpful for me. – manoj Jul 23 '15 at 13:25
  • not even this ? http://javabeginnerstutorial.com/code-base/how-to-read-text-file-from-zip-archive/ – swapedoc Jul 23 '15 at 13:30
  • @ fge , java version : 1.7.0_79 – manoj Jul 23 '15 at 13:33
  • @ swapedoc, i have a specific need to find out the file types. and need to raise proper exceptions when the zipped file contains executable/risky files – manoj Jul 23 '15 at 13:35

3 Answers3

0

I suggest to try the following:

  1. Use the Zip File System Provider to access ZIP files using the NIO.2 File API: https://docs.oracle.com/javase/7/docs/technotes/guides/io/fsp/zipfilesystemprovider.html
  2. Walk the file tree: https://docs.oracle.com/javase/tutorial/essential/io/walk.html (there are also methods supporting Java SE 8 Streams).
  3. Perfrom the checks, eg. using Files.isExecutable
Puce
  • 37,247
  • 13
  • 80
  • 152
0

You main concern is to find wether a zip file contains files or not. For this you can search the contents of the zip file to read the file name; from the file names you can find which file is an file.

public static void printFileList(String filePath){

    FileInputStream fis = null;
    ZipInputStream zipIs = null;
    ZipEntry zEntry = null;
    try {
        fis = new FileInputStream(filePath);
        zipIs = new ZipInputStream(new BufferedInputStream(fis));
        while((zEntry = zipIs.getNextEntry()) != null){
            System.out.println(zEntry.getName());
        }
        zipIs.close();
    } catch (FileNotFoundException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

Input

C:\\Users\\Desktop\\New.zip

Output 

New/contactsManager
New/log.txt
New/timesheet.PNG

from the output file names you can find the .exe files.

Sidharth Dash
  • 333
  • 1
  • 4
  • 13
0

Before anything else, you need to rewrite the file. Zip files are "surprising". Read the contents, check, write out to a new archive. It's not unusual and go one further rewriting the contained files (for instance, web sites will typically rewrite user upload images).

Other things you should look out for a directory traversal attacks and denial of service (zip bombs).

Generally you should whitelist, not blacklist. Probably you want to check both file extension (and probably check that there are no more dots) and magic number (typically first four bytes) agree. Implementations of the UNIX command magic may help you.

There are some peculiarities. For instance zip files themselves can be read from the back (see GIFAR). Some programs will ignore invalid input and skip to something that it can understand. Possibly a target program will do an extra layer of unwrapping, say a gunzip.

Tom Hawtin - tackline
  • 145,806
  • 30
  • 211
  • 305
  • yes, i want to whitelist, instead of black list. i cant check file extension alone, there can be a file with altered extension. – manoj Jul 23 '15 at 14:55