From 373e9d166e89410aa4abe08633f44889ebd90550 Mon Sep 17 00:00:00 2001 From: Tom Jordahl Date: Wed, 24 Oct 2018 14:00:15 -0400 Subject: [PATCH 1/2] Do not call SecurityUtils.getValidFilePath when processing a Multipart form as it will reject almost anything a user might put there. Just use the base filename --- .../proxy/internal/servlet/AwsProxyHttpServletRequest.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java b/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java index 120eeacb0..cfc226d7e 100644 --- a/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java +++ b/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java @@ -25,6 +25,7 @@ import org.apache.commons.fileupload.FileUploadException; import org.apache.commons.fileupload.disk.DiskFileItemFactory; import org.apache.commons.fileupload.servlet.ServletFileUpload; +import org.apache.commons.io.FilenameUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.io.input.NullInputStream; import org.slf4j.Logger; @@ -63,6 +64,7 @@ import java.util.Collection; import java.util.Collections; import java.util.Enumeration; +import java.io.File; import java.util.HashMap; import java.util.Iterator; import java.util.List; @@ -685,7 +687,7 @@ private String[] getFormBodyParameterCaseInsensitive(String key) { } - @SuppressFBWarnings("FILE_UPLOAD_FILENAME") + @SuppressFBWarnings({"FILE_UPLOAD_FILENAME", "WEAK_FILENAMEUTILS"}) private Map getMultipartFormParametersMap() { if (multipartFormParameters != null) { return multipartFormParameters; @@ -701,7 +703,7 @@ private Map getMultipartFormParametersMap() { try { List items = upload.parseRequest(this); for (FileItem item : items) { - String fileName = SecurityUtils.getValidFilePath(item.getName(), true); + String fileName = FilenameUtils.getName(item.getName()); AwsProxyRequestPart newPart = new AwsProxyRequestPart(item.get()); newPart.setName(fileName); newPart.setSubmittedFileName(item.getFieldName()); From 22101e1a69e5a92fef3b49ede70d0513e17b8dd8 Mon Sep 17 00:00:00 2001 From: Tom Jordahl Date: Wed, 24 Oct 2018 14:11:58 -0400 Subject: [PATCH 2/2] Unused import --- .../proxy/internal/servlet/AwsProxyHttpServletRequest.java | 1 - 1 file changed, 1 deletion(-) diff --git a/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java b/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java index cfc226d7e..303ac218b 100644 --- a/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java +++ b/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/internal/servlet/AwsProxyHttpServletRequest.java @@ -64,7 +64,6 @@ import java.util.Collection; import java.util.Collections; import java.util.Enumeration; -import java.io.File; import java.util.HashMap; import java.util.Iterator; import java.util.List;