Farash,
On 8/9/22 09:23, Farash Ahamad wrote:
Hi Chris,
There is an application portal running on tomcat used by many users, where
they create profiles, upload documents, etc.
When they upload the document via portal, the application pushes it to sftp
on another server, but sometimes a copy is stored in the root directory
tomcat server with exact details like filename, size, etc.
So your users upload to your application, which then uploads the file
via sftp?
My guess is that your application does something like this:
public void service(Request, Response) {
String filename = Request.getParameter("filename");
InputStream in = Request.getInputStream();
OutputStream out = new FileOutputStream(filename);
while(in.read(...)) {
out.write(...);
}
out.close();
in.close();
FTPClient client = new FTPClient();
client.connect();
client.put(filename);
}
By using the Tomcat server as a temporary location for files, there is
the possibility that uploaded-files will stick-around in that directory,
especially if the code isn't very careful about resource-management and
error-handling.
I would immediately audit your code for the following:
1. Proper destination directory. If users can upload files to your
Tomcat directory, what happens if I upload a .jsp file and then request
that file over HTTP from your server? Will it execute the file? :0 You
should write all files into the container-provided temp directory. Ask
if you don't know what this it.
2. Filename sanitization. If a user can upload a file, can they
overwrite local files? Can they perform directory-traversals? What
happens if I upload /etc/passwd or conf/server.xml?
3. Proper resource management (e.g. look for close() and delete() for
everything you do locally)
4. Maybe you don't even need to store the file locally. Does your sftp
client library allow you to stream files directly to the remote server?
It would be better to never write the file bytes onto the Tomcat server
in the first place.
Hope that helps,
-chris
On Tue, Aug 9, 2022 at 4:18 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Farash,
On 8/9/22 04:55, Farash Ahamad wrote:
Just to add, the file is getting uploaded to SFTP server, but there is an
exact copy in tomcat server as well.
Can you give more details? Is a human user pushing via sftp to your
Tomcat server? Or is your Tomcat-deployed application pushing via sftp
to another server? Or something more complicated?
Is the Tomcat server hosting the sftp server / destination?
-chris
On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
This will always be an application issue.
Mark
On 09/08/2022 09:41, Farash Ahamad wrote:
Dear All,
I am observing there and several documents (pdf, png, jpeg, etc) which
the
end user uploads in the application getting stored in tomcat /
directory.
I would like to understand whether this is a bug in the application
code
or
in tomcat.
Application based on: Java Spring Boot 2.1.3
Tomcat version: 9.0.41
OS Version: RHEL 7.9
Document Destination: SFTP server (Unified gluster FS through Serv-U)
Appreciate your help.
Thanks & Regards,
Farash Ahamad
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org