I am working on a web application using Rails which user can upload a zip file which contains its data/file/docs and etc. But I'm concerned with security right now, I want to scan the uploaded zip file and remove all kind of executable such exe, bash and etc how can I do this?
Edit: I am aware of clamav API for rails but it would only scan the file for malicious files not removing the executable, just imagine opening a wrong uploaded executable file in the server and the cost of this action server/business-wide!
First, it would be better and more robust to whitelist allowed file types, and not blacklist disallowed ones (eg. executables). So you should have a list of types you allow if that is possible in your application.
Then the question is how you determine the type of a file.
The trivial way is checking the file extension, but that's not very strong. It may still be good for a first check to avoid spending precious cpu time on further checks.
After that, you can use the filemagic database to quite reliably find the type of uploaded files. You have two options:
If your application runs on linux, you can call the file tool directly, something like filetype = `file -Ib #{filename}` to get the filetype. Note that filename in this example needs to be sanitized to avoid OS command injection!
If you want to support Windows too (or just want to avoid calling shell commands and have nicer code), you can use the ruby-filemagic gem:
require 'filemagic'
filename = 'yourfile.ext'
magic = FileMagic.new
filetype = magic.file(filename)
The problem with ruby-filemagic is that it's not maintained anymore, but it would probably still work fine to find executables.
Related
I am working on an App, in which I want to upload images and pdf to the FTP server. I am using this reference ref.All is working good. The images and pdf are getting uploaded on the server with proper names and sizes.
But, now I want to check if the directory is already exists on the server or not. I am not able to get it to work with this library.
So my question is that how to check directory on ftp,if directory is there then upload the files if not then first create directory on ftp and then upload files onto that directory?
Any Ideas.. ? Any help will be appreciated.
Different FTP servers will answer the LIST request in differing ways, so there is no single answer to this question. RFC959 says on the matter:
Since the information on a file may vary widely from system
to system, this information may be hard to use automatically
in a program, but may be quite useful to a human user.
Using the CWD request to change into the directory in question, and detecting a successful response will detect the directory, however that leaves you in that directory as a potentially unrequired side effect.
For these reasons, as well as others, you may find more modern protocols such as SSH (which includes a file transfer feature) to be more useful. You may find the DLSFTPClient CocoaPod useful.
M.
If we want to store critical information, like passwords and server addresses, inside the executable file generated by the Delphi compiler, how can we do that, without knowing the final executable size and binary structure, like at the end of the file for example?
Side note:
The text to be stored is already encrypted; and in some computers the windows don't give access to write in the registry, specially when the user is not administrator, and there are hacks to monitor registry changes and the smart user can find the new windows registry entry.
Comment
Why this question was down voted? This is achievable! Doesn't meter if not interesting for most people.
I think about the bios and other firmware upgradeable, like satelite tv signal decoders that update themselves. How is that possible?
You can use an .rc file to put your data into a custom resource inside the final .exe file. You can then access that resource at run-time, such as with a TResourceStream, and decrypt and use its content as needed. However, you cannot write new data into the resource while the .exe is running, as the file is locked by the OS. If you need to write new settings, and do not have write access to the Registry, you will have to use a separate file instead. Windows has special folders set aside that users have write access to within their user profiles.
Create a string table resource is one way.
Create a text file. say secretstuff.rc (has to have .rc extension)
with something like this in it.
STRINGTABLE
{
1,"This is my encrypted password in say Base64"
}
Compile it to a .res file with BRCC32.
Include it in the relevant code with a compiler directive
{$R secretstuff.res}
After that you access with TResourceStream.
If you want to manage it a bit better might be wise to stuff them in a dll instead of an exe, then you can update things by delivering a new version of the dll.
There's an example with a it more detail, another purpose but same principle here
I want to convert my struts2 web application into an exe format so that exe file will load my project into server and database into MySQL.
Are there any such tools available for loading files into a folder?
Are there any forms other than .exe to which I could convert my project to do this action?
Is it possible to decrypt the code from class file to java file?
Which is the most secure form for a struts2 project for loading into a server?
You want to convert it to executable one?? generally installer came to assist auto installation like if you have created a product using all these technology and you want save your customer from all the setting and installation processes like database configuration,other configurations etc.
Is it possible to decrypt the code from class format to java format
there are many java d-compilers available which help you to convert .class files to java files though they sometime fails to convert it 100% but in most cases they tend to show some one what they actually want to see.
You can't load an exe file into a web server.
I suppose you could create an executable that includes a server and your war file, but I would strongly discourage the practice.
You could obfuscate (e.g., with ProGuard) and/or encrypt your .class files, but if they're determined to get to your unobfuscated byte code, they almost certainly will.
If they're not that determined, then it's probably not important enough to go through all the effort, debugging, and so on.
I sort of want to do the reverse of this.
Instead of unzipping and adding the collection files to S3 I want to
On user's request:
generate a bunch of xml files
zip the xml files with some images (pre-existing images hosted on s3)
download zip
Does anybody know agood way of doing this? I think I could manage this no problem on a normal machine but Heroku complicates things somewhat in that it has a read-only filesystem.
From the heroku documentation on the read-only filesystem:
There are two directories that are writeable: ./tmp and ./log (under your application root). If you wish to drop a file temporarily for the duration of the request, you can write to a filename like #{RAILS_ROOT}/tmp/myfile_#{Process.pid}. There is no guarantee that this file will be there on subsequent requests (although it might be), so this should not be used for any kind of permanent storage.
You should be able to pretty easily write your generated xml files to tmp/ and keep track of the names, download and write the s3 files to the same directory, and (maybe?) invoke a zip command as long as the output is in tmp/, then serve the file to the browser with the correct mime type to prompt a download. I would only be concerned with how big the filesize is and if heroku has an undocumented limit on what they'll allow in the tmp directory. Especially since you are only performing this action for a one-time download in the duration of a single request, I think you have a good chance of being able to do it.
Edit: Looking around a bit, you might be able to use something like RubyZip to create your zip file if you want to avoid calling system commands.
How do i get the location of the file that i used to open my programs with?
Example: if i create a new extention ".xyz" say and i tell windows that i want to open the file type .xyz with myapplication, then it starts my aplication. Great, but how does my application get a handle on the file path of the file that was used to start it?
Also, is there a way to keep just one version of my app running and new files that are opened to just call a method in my application? For example if your using a torrent and you open 5 .torrent files they all just get passed to one application.
Side question: are all file extensions 3 letters long and is there a list of ones that are publicly used? If im creating a file extension I don't want to use one that is already used.
When you created your file association, you specified the command line that Explorer should run to activate your program. The shell puts the name of the document file on the command line, too, so in your program, check the command-line arguments. How you do that depends on your language and development environment. In Delphi, use the ParamCount and ParamStr functions.
When you create the file association, you can specify exactly where on the command line the document file name should go. Use %1 somewhere on the command line, and the shell will replace it with the file name. Since Windows file names frequently contains spaces, you should put quotation marks around the file name, so the command line in the file association would look like this:
ArthurApp.exe "%1"
With that association, double-clicking another document file will start another instance of your program. If you'd prefer to have the document opened in another window of the already-running instance, then you can write code to make your program look for already-running instances when it starts up. If it finds one, then it can communicate with that instance to tell it what file to open. You can effect that communication any number of ways, including mailslots, sockets, named pipes, memory-mapped files, and DDE.
The shell's file-association mechanism already has a way of communicating via DDE, so a second instance of your program wouldn't be started at all. Instead, the shell would start a DDE conversation with the already-running instance and tell it the new file name that way. However, DDE seems to be falling out of favor nowadays, so check out some of the other options first.
For your side question, no, extensions are not always three characters long. Look around, and that should be obvious: C code goes in .c files, Adobe Illustrator graphics go in .ai files, and new Microsoft Word documents go in .docx files.
But beware. If you ask for **.doc*, the results will include .docx files as well. That's because FindFirstFile matches both short and long file names, and long file names with long file extensions have three-character extensions in their short-file-name versions.
Rob covered the answer to your question(s) beautifully.
As to the last part, whether there is a public list of file extensions - not as such, but there is shell.windows.com, the web service Explorer uses to locate handlers for unknown file extensions. You can make up an extension then query shell.windows.com to see whether it's been registered. For example, to check whether the extension .blah has been registered by anyone on shell.windows.com, just open this URL in any browser:
http://shell.windows.com/fileassoc/0409/xml/redir.asp?ext=blah
Of course, replace the trailing blah with your extension.
You can find more details about this in KB929149 and in Raymond Chen's post Where does shell.windows.com get information about file extensions, and how do I get in on that action?.