Much appreciated your detailed response Chris, I’ll investigate upon these points and try to discuss with the developer.
Thanks once again.!! On Tue, 9 Aug 2022 at 5:20 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Farash, > > On 8/9/22 09:23, Farash Ahamad wrote: > > Hi Chris, > > > > There is an application portal running on tomcat used by many users, > where > > they create profiles, upload documents, etc. > > When they upload the document via portal, the application pushes it to > sftp > > on another server, but sometimes a copy is stored in the root directory > > tomcat server with exact details like filename, size, etc. > > So your users upload to your application, which then uploads the file > via sftp? > > My guess is that your application does something like this: > > public void service(Request, Response) { > String filename = Request.getParameter("filename"); > InputStream in = Request.getInputStream(); > > OutputStream out = new FileOutputStream(filename); > while(in.read(...)) { > out.write(...); > } > out.close(); > in.close(); > > FTPClient client = new FTPClient(); > client.connect(); > client.put(filename); > } > > By using the Tomcat server as a temporary location for files, there is > the possibility that uploaded-files will stick-around in that directory, > especially if the code isn't very careful about resource-management and > error-handling. > > I would immediately audit your code for the following: > > 1. Proper destination directory. If users can upload files to your > Tomcat directory, what happens if I upload a .jsp file and then request > that file over HTTP from your server? Will it execute the file? :0 You > should write all files into the container-provided temp directory. Ask > if you don't know what this it. > > 2. Filename sanitization. If a user can upload a file, can they > overwrite local files? Can they perform directory-traversals? What > happens if I upload /etc/passwd or conf/server.xml? > > 3. Proper resource management (e.g. look for close() and delete() for > everything you do locally) > > 4. Maybe you don't even need to store the file locally. Does your sftp > client library allow you to stream files directly to the remote server? > It would be better to never write the file bytes onto the Tomcat server > in the first place. > > Hope that helps, > -chris > > > On Tue, Aug 9, 2022 at 4:18 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Farash, > >> > >> On 8/9/22 04:55, Farash Ahamad wrote: > >>> Just to add, the file is getting uploaded to SFTP server, but there is > an > >>> exact copy in tomcat server as well. > >> > >> Can you give more details? Is a human user pushing via sftp to your > >> Tomcat server? Or is your Tomcat-deployed application pushing via sftp > >> to another server? Or something more complicated? > >> > >> Is the Tomcat server hosting the sftp server / destination? > >> > >> -chris > >> > >>> On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote: > >>> > >>>> This will always be an application issue. > >>>> > >>>> Mark > >>>> > >>>> > >>>> On 09/08/2022 09:41, Farash Ahamad wrote: > >>>>> Dear All, > >>>>> > >>>>> I am observing there and several documents (pdf, png, jpeg, etc) > which > >>>> the > >>>>> end user uploads in the application getting stored in tomcat / > >> directory. > >>>>> > >>>>> I would like to understand whether this is a bug in the application > >> code > >>>> or > >>>>> in tomcat. > >>>>> > >>>>> Application based on: Java Spring Boot 2.1.3 > >>>>> Tomcat version: 9.0.41 > >>>>> OS Version: RHEL 7.9 > >>>>> Document Destination: SFTP server (Unified gluster FS through Serv-U) > >>>>> > >>>>> Appreciate your help. > >>>>> > >>>>> Thanks & Regards, > >>>>> Farash Ahamad > >>>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>> > >>>> > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >