[jira] [Work logged] (WW-5501) Exclude malicious names

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5501?focusedWorklogId=957238&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-957238
 ]

ASF GitHub Bot logged work on WW-5501:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 16/Feb/25 07:03
            Start Date: 16/Feb/25 07:03
    Worklog Time Spent: 10m 
      Work Description: github-advanced-security[bot] commented on code in PR 
#1218:
URL: https://github.com/apache/struts/pull/1218#discussion_r1957256025


##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java:
##########
@@ -125,7 +113,11 @@
     }
 
     protected void processFileField(FileItem item) {
-        if (isInvalidInput(item.getFieldName(), item.getName())) {
+        LOG.debug("Item is a file upload");
+
+        // Skip file uploads that don't have a file name - meaning that no 
file was selected.
+        if (item.getName() == null || item.getName().trim().isEmpty()) {
+            LOG.debug("No file has been uploaded for the field: {}", 
normalizeSpace(item.getFieldName()));

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZUNkWBg6LPeHtyOZc8t-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZUNkWBg6LPeHtyOZc8t&open=AZUNkWBg6LPeHtyOZc8t&pullRequest=1218";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/985)



##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java:
##########
@@ -351,7 +336,9 @@
      * @param location   location
      */
     protected void processFileItemStreamAsFileField(FileItemStream itemStream, 
String location) {
-        if (isInvalidInput(itemStream.getFieldName(), itemStream.getName())) {
+        // Skip file uploads that don't have a file name - meaning that no 
file was selected.
+        if (itemStream.getName() == null || 
itemStream.getName().trim().isEmpty()) {
+            LOG.debug("No file has been uploaded for the field: {}", 
normalizeSpace(itemStream.getFieldName()));

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZUNkXKc6LPeHtyOZc8v-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZUNkXKc6LPeHtyOZc8v&open=AZUNkXKc6LPeHtyOZc8v&pullRequest=1218";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/986)





Issue Time Tracking
-------------------

    Worklog Id:     (was: 957238)
    Time Spent: 6h  (was: 5h 50m)

> Exclude malicious names
> -----------------------
>
>                 Key: WW-5501
>                 URL: https://issues.apache.org/jira/browse/WW-5501
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Assignee: Lukasz Lenart
>            Priority: Major
>             Fix For: 6.7.2, 7.0.2
>
>         Attachments: image-2025-01-09-10-11-17-169.png
>
>          Time Spent: 6h
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)