github-advanced-security[bot] commented on code in PR #1215:
URL: https://github.com/apache/struts/pull/1215#discussion_r1945850716
##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java:
##########
@@ -154,10 +142,10 @@
protected void processNormalFormField(FileItem item, String charset)
throws UnsupportedEncodingException {
try {
- LOG.debug("Item is a normal form field");
+ String fieldName = item.getFieldName();
+ LOG.debug("Item: {} is a normal form field",
normalizeSpace(fieldName));
Review Comment:
## Logging should not be vulnerable to injection attacks
<!--SONAR_ISSUE_KEY:AZTaSXPsbZEgA2nfhi9s-->Change this code to not log
user-controlled data. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZTaSXPsbZEgA2nfhi9s&open=AZTaSXPsbZEgA2nfhi9s&pullRequest=1215";>SonarQube
Cloud</a></p>
[Show more
details](https://github.com/apache/struts/security/code-scanning/976)
##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java:
##########
@@ -194,4 +191,32 @@
return patternsChecker.isExcluded(fileName).isExcluded();
}
+ protected boolean isInvalidInput(String fieldName, String fileName) {
+ // Skip file uploads that don't have a file name - meaning that no
file was selected.
+ if (fileName == null || fileName.trim().isEmpty()) {
+ LOG.debug(() -> "No file has been uploaded for the field: " +
normalizeSpace(fieldName));
+ return true;
+ }
+
+ if (isExcluded(fileName)) {
+ String normalizedFileName = normalizeSpace(fileName);
+ LOG.debug("File name [{}] is not accepted", normalizedFileName);
+ errors.add(new LocalizedMessage(getClass(),
STRUTS_MESSAGES_UPLOAD_ERROR_ILLEGAL_CHARACTERS_NAME, null,
+ new String[]{normalizedFileName}));
+ return true;
+ }
+
+ return isInvalidInput(fieldName);
+ }
+
+ protected boolean isInvalidInput(String fieldName) {
+ if (isExcluded(fieldName)) {
+ String normalizedFieldName = normalizeSpace(fieldName);
+ LOG.debug("Form field [{}] is rejected!", normalizedFieldName);
Review Comment:
## Logging should not be vulnerable to injection attacks
<!--SONAR_ISSUE_KEY:AZTaSXRkbZEgA2nfhi-E-->Change this code to not log
user-controlled data. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZTaSXRkbZEgA2nfhi-E&open=AZTaSXRkbZEgA2nfhi-E&pullRequest=1215";>SonarQube
Cloud</a></p>
[Show more
details](https://github.com/apache/struts/security/code-scanning/977)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
