Add configuration for file upload temp directory to ESAPI.properties.

planetlevel · planetlevel · commit 030e869acf92 · 2009-07-03T03:32:20.000Z
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
@@ -0,0 +1,12 @@
+#Tue Jun 30 16:06:03 EDT 2009
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5
+org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
+org.eclipse.jdt.core.compiler.compliance=1.5
+org.eclipse.jdt.core.compiler.debug.lineNumber=generate
+org.eclipse.jdt.core.compiler.debug.localVariable=generate
+org.eclipse.jdt.core.compiler.debug.sourceFile=generate
+org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
+org.eclipse.jdt.core.compiler.source=1.5
diff --git a/src/main/java/org/owasp/esapi/HTTPUtilities.java b/src/main/java/org/owasp/esapi/HTTPUtilities.java
@@ -31,8 +31,6 @@
 import org.owasp.esapi.errors.EncryptionException;
 import org.owasp.esapi.errors.IntrusionException;
 import org.owasp.esapi.errors.ValidationException;
-import org.owasp.esapi.filters.ESAPIRequest;
-import org.owasp.esapi.filters.ESAPIResponse;
 
 
 /**
@@ -208,17 +206,14 @@ public interface HTTPUtilities {
 	 * This method uses {@link HTTPUtilities#getCurrentRequest()} to obtain the {@link HttpServletRequest} object
      * 
      * @param request
-     * @param tempDir
-     * 		the temporary directory
-     * @param finalDir 
-     * 		the final directory
+     * @param destination directory 
      * 
      * @return List of new File objects from upload
      * 
      * @throws ValidationException 
      * 		if the file fails validation
      */
-    List getSafeFileUploads(HttpServletRequest request, File tempDir, File finalDir) throws ValidationException;
+    List getSafeFileUploads(HttpServletRequest request, File destinationDir) throws ValidationException;
 
     /**
      * Retrieves a map of data from a cookie encrypted with encryptStateInCookie().
@@ -347,14 +342,14 @@ public interface HTTPUtilities {
      * 
      * @return the current request
      */
-    ESAPIRequest getCurrentRequest();
+    HttpServletRequest getCurrentRequest();
     
     /**
      * Retrieves the current HttpServletResponse
      * 
      * @return the current response
      */
-    ESAPIResponse getCurrentResponse();
+    HttpServletResponse getCurrentResponse();
     
     /**
      * Format the Source IP address, URL, URL parameters, and all form
@@ -386,6 +381,9 @@ public interface HTTPUtilities {
     void logHTTPRequest(HttpServletRequest request, Logger logger, List parameterNamesToObfuscate);
 
 
-	List getSafeFileUploads(HttpServletRequest request, File tempDir) throws ValidationException;
+    /**
+	 * Parse a multipart HTTP request and extract any files therein.
+	 */
+	List getSafeFileUploads(HttpServletRequest request) throws ValidationException;
 
 }
diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
@@ -118,12 +118,17 @@ public interface SecurityConfiguration {
 	public byte[] getMasterKey();
 
 	/**
-     * Retrieves the default upload directory declared in the ESAPI properties file.
-     * 
-     * @return the default upload directory declared in the ESAPI properties file
+     * Retrieves the upload directory as specified in the ESAPI.properties file.
+     * @return the upload directory
      */
     public File getUploadDirectory();
 	
+    /**
+     * Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
+     * @return the temp directory
+     */
+    public File getUploadTempDirectory();
+
 	/**
 	 * Gets the key length to use in cryptographic operations declared in the ESAPI properties file.
 	 * 
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
@@ -47,8 +47,6 @@
 import org.owasp.esapi.errors.IntrusionException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.errors.ValidationUploadException;
-import org.owasp.esapi.filters.ESAPIRequest;
-import org.owasp.esapi.filters.ESAPIResponse;
 
 /**
  * Reference implementation of the HTTPUtilities interface. This implementation
@@ -365,8 +363,8 @@ public void encryptStateInCookie(HttpServletResponse response, Map cleartext) th
      * @param request
      * @return list of File objects for new files in final directory
 	 */
-    public List getSafeFileUploads(HttpServletRequest request, File tempDir) throws ValidationException {
-    	return getSafeFileUploads(request, tempDir, ESAPI.securityConfiguration().getUploadDirectory());
+    public List getSafeFileUploads(HttpServletRequest request) throws ValidationException {
+    	return getSafeFileUploads(request, ESAPI.securityConfiguration().getUploadDirectory());
     }
 
 	/**
@@ -379,7 +377,8 @@ public List getSafeFileUploads(HttpServletRequest request, File tempDir) throws
      * @param request
      * @return list of File objects for new files in final directory
 	 */
-	public List getSafeFileUploads(HttpServletRequest request, File tempDir, File finalDir) throws ValidationException {
+	public List getSafeFileUploads(HttpServletRequest request, File finalDir) throws ValidationException {
+        File tempDir = ESAPI.securityConfiguration().getUploadTempDirectory();
 		if ( !tempDir.exists() ) {
 		    if ( !tempDir.mkdirs() ) throw new ValidationUploadException( "Upload failed", "Could not create temp directory: " + tempDir.getAbsolutePath() );
 		}
@@ -586,40 +585,23 @@ public void setNoCacheHeaders(HttpServletResponse response) {
 	/**
 	 * {@inheritDoc}
 	 */
-    public ESAPIRequest getCurrentRequest() {
-        ESAPIRequest request = (ESAPIRequest)currentRequest.get();
-		return request;
+    public HttpServletRequest getCurrentRequest() {
+    	return (HttpServletRequest)currentRequest.get();
     }
 
     /**
 	 * {@inheritDoc}
 	 */
-    public ESAPIResponse getCurrentResponse() {
-        ESAPIResponse response = (ESAPIResponse)currentResponse.get();
-        return response;
+    public HttpServletResponse getCurrentResponse() {
+        return (HttpServletResponse)currentResponse.get();
     }
 
     /**
 	 * {@inheritDoc}
 	 */
     public void setCurrentHTTP(HttpServletRequest request, HttpServletResponse response) {
-    	ESAPIRequest safeRequest = null;
-    	ESAPIResponse safeResponse = null;
-    	
-    	// wrap if necessary
-    	if ( request instanceof ESAPIRequest ) {
-    		safeRequest = (ESAPIRequest)request;
-    	} else {
-    		safeRequest = new ESAPIRequest( request );
-    	}
-    	if ( response instanceof ESAPIResponse ) {
-    		safeResponse = (ESAPIResponse)response;
-    	} else {
-    		safeResponse = new ESAPIResponse( response );
-    	}
-    	
-    	currentRequest.set(safeRequest);
-        currentResponse.set(safeResponse);
+     	currentRequest.set(request);
+        currentResponse.set(response);
     }
 
     public void logHTTPRequest(HttpServletRequest request, Logger logger) {
@@ -676,11 +658,11 @@ public Object initialValue() {
         	return null;
         }
         
-        public ESAPIRequest getRequest() {
-            return (ESAPIRequest)super.get();
+        public HttpServletRequest getRequest() {
+            return (HttpServletRequest)super.get();
         }
 
-        public void setRequest(ESAPIRequest newRequest) {
+        public void setRequest(HttpServletRequest newRequest) {
             super.set(newRequest);
         }
     };
@@ -694,11 +676,11 @@ public Object initialValue() {
         	return null;
         }
         
-        public ESAPIResponse getResponse() {
-            return (ESAPIResponse)super.get();
+        public HttpServletResponse getResponse() {
+            return (HttpServletResponse)super.get();
         }
 
-        public void setResponse(ESAPIResponse newResponse) {
+        public void setResponse(HttpServletResponse newResponse) {
             super.set(newResponse);
         }
     };
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -93,6 +93,7 @@ public class DefaultSecurityConfiguration implements SecurityConfiguration {
     
     private static final String FORCE_HTTPONLY = "HttpUtilities.ForceHTTPOnly";
     private static final String UPLOAD_DIRECTORY = "HttpUtilities.UploadDir";    
+    private static final String UPLOAD_TEMP_DIRECTORY = "HttpUtilities.UploadTempDir";    
     private static final String APPROVED_UPLOAD_EXTENSIONS = "HttpUtilities.ApprovedUploadExtensions";
     private static final String MAX_UPLOAD_FILE_BYTES = "HttpUtilities.MaxUploadFileBytes";
     private static final String RESPONSE_CONTENT_TYPE = "HttpUtilities.ResponseContentType";
@@ -586,6 +587,14 @@ public File getUploadDirectory() {
     	return new File( dir );
     }
     
+    /**
+	 * {@inheritDoc}
+	 */
+    public File getUploadTempDirectory() {
+    	String dir = getESAPIProperty( UPLOAD_TEMP_DIRECTORY, "UploadTempDir");
+    	return new File( dir );
+    }
+    
     /**
 	 * {@inheritDoc}
 	 */
diff --git a/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java b/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java
@@ -200,7 +200,7 @@ public void testGetFileUploads() throws IOException {
         MockHttpServletResponse response = new MockHttpServletResponse();
         ESAPI.httpUtilities().setCurrentHTTP(request1, response);
         try {
-            ESAPI.httpUtilities().getSafeFileUploads(request1, home, home);
+            ESAPI.httpUtilities().getSafeFileUploads(request1, home);
             fail();
         } catch( ValidationException e ) {
         	// expected
@@ -210,7 +210,7 @@ public void testGetFileUploads() throws IOException {
         request2.setContentType( "multipart/form-data; boundary=ridiculous");
         ESAPI.httpUtilities().setCurrentHTTP(request2, response);
         try {
-            List list = ESAPI.httpUtilities().getSafeFileUploads(request2, home, home);
+            List list = ESAPI.httpUtilities().getSafeFileUploads(request2, home);
             Iterator i = list.iterator();
             while ( i.hasNext() ) {
             	File f = (File)i.next();
@@ -242,7 +242,7 @@ public void testGetFileUploads() throws IOException {
         request3.setContentType( "multipart/form-data; boundary=ridiculous");
         ESAPI.httpUtilities().setCurrentHTTP(request3, response);
         try {
-            ESAPI.httpUtilities().getSafeFileUploads(request3, home, home);
+            ESAPI.httpUtilities().getSafeFileUploads(request3, home);
             fail();
         } catch (ValidationException e) {
         	// expected
diff --git a/src/test/resources/.esapi/ESAPI.properties b/src/test/resources/.esapi/ESAPI.properties
@@ -118,6 +118,7 @@ Encryptor.CharacterEncoding=UTF-8
 #
 # Default file upload location (remember to escape backslashes with \\)
 HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
+HttpUtilities.UploadTempDir=C:\\temp
 # Force HTTP only on all cookies in ESAPI SafeRequest
 HttpUtilities.ForceHTTPOnly=false
 # File upload configuration

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ Encryptor.CharacterEncoding=UTF-8`
`118`	`118`	`#`
`119`	`119`	`# Default file upload location (remember to escape backslashes with \\)`
`120`	`120`	`HttpUtilities.UploadDir=C:\\ESAPI\\testUpload`
	`121`	`+HttpUtilities.UploadTempDir=C:\\temp`
`121`	`122`	`# Force HTTP only on all cookies in ESAPI SafeRequest`
`122`	`123`	`HttpUtilities.ForceHTTPOnly=false`
`123`	`124`	`# File upload configuration`