esapi-java-legacy

esapi-java-legacy copied to clipboard

As a developer, I want to probe and validate the MIME type of a file uploaded by a user so that I can ensure the MIME type of the file matches the file extension.

Acceptance Criteria Given Tika is configured in the classpath And I have configured a MIME whitelist of txt When I validate a binary user upload a binary file And the file extension is txt Then the validator will return false

I'm okay with with this ultra-narrow use case, but I want to call out that we'll have to provide guidance as far as how to properly handle a file upload. It might be beneficial on our next call to discuss what your file validation does and doesn't do--this issue is near and dear to my heart, I had talked about doing this at least 3yrs ago.

@Manicode is no longer with us here, but he's given quite a bit of input as to the correct way to handle this.

I think the best way to handle this is to submit a PR. If it introduces a significant number of new transitive dependencies though, we may reject it and just plan for it in ESAPI 3.x. That's one reason that @xeno6696 hasn't already addressed it. We are trying to keep new dependencies to a minimum as ESAPI already has way too many because of its monolithic design. Alternately, we could create a new repository under https://github.com/ESAPI and you would treat it as an add-on. I thought we used to have an 'add-on' or 'contributors' repository. (I remember @chrisisbeef used to have something for Spring Security's authentication using ESAPI under there, but I no longer can find it.)

I'm with @kwwall on this (and the other) item. IIRC you already have code ready to submit, let's just do that and review it.