You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Farash Ahamad <fa...@gmail.com> on 2022/08/09 08:41:36 UTC
End user files uploaded to sftp getting stored in tomcat root directory
Dear All,
I am observing there and several documents (pdf, png, jpeg, etc) which the
end user uploads in the application getting stored in tomcat / directory.
I would like to understand whether this is a bug in the application code or
in tomcat.
Application based on: Java Spring Boot 2.1.3
Tomcat version: 9.0.41
OS Version: RHEL 7.9
Document Destination: SFTP server (Unified gluster FS through Serv-U)
Appreciate your help.
Thanks & Regards,
Farash Ahamad
Re: End user files uploaded to sftp getting stored in tomcat root directory
Posted by Farash Ahamad <fa...@gmail.com>.
Much appreciated your detailed response Chris, I’ll investigate upon these
points and try to discuss with the developer.
Thanks once again.!!
On Tue, 9 Aug 2022 at 5:20 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Farash,
>
> On 8/9/22 09:23, Farash Ahamad wrote:
> > Hi Chris,
> >
> > There is an application portal running on tomcat used by many users,
> where
> > they create profiles, upload documents, etc.
> > When they upload the document via portal, the application pushes it to
> sftp
> > on another server, but sometimes a copy is stored in the root directory
> > tomcat server with exact details like filename, size, etc.
>
> So your users upload to your application, which then uploads the file
> via sftp?
>
> My guess is that your application does something like this:
>
> public void service(Request, Response) {
> String filename = Request.getParameter("filename");
> InputStream in = Request.getInputStream();
>
> OutputStream out = new FileOutputStream(filename);
> while(in.read(...)) {
> out.write(...);
> }
> out.close();
> in.close();
>
> FTPClient client = new FTPClient();
> client.connect();
> client.put(filename);
> }
>
> By using the Tomcat server as a temporary location for files, there is
> the possibility that uploaded-files will stick-around in that directory,
> especially if the code isn't very careful about resource-management and
> error-handling.
>
> I would immediately audit your code for the following:
>
> 1. Proper destination directory. If users can upload files to your
> Tomcat directory, what happens if I upload a .jsp file and then request
> that file over HTTP from your server? Will it execute the file? :0 You
> should write all files into the container-provided temp directory. Ask
> if you don't know what this it.
>
> 2. Filename sanitization. If a user can upload a file, can they
> overwrite local files? Can they perform directory-traversals? What
> happens if I upload /etc/passwd or conf/server.xml?
>
> 3. Proper resource management (e.g. look for close() and delete() for
> everything you do locally)
>
> 4. Maybe you don't even need to store the file locally. Does your sftp
> client library allow you to stream files directly to the remote server?
> It would be better to never write the file bytes onto the Tomcat server
> in the first place.
>
> Hope that helps,
> -chris
>
> > On Tue, Aug 9, 2022 at 4:18 PM Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> >> Farash,
> >>
> >> On 8/9/22 04:55, Farash Ahamad wrote:
> >>> Just to add, the file is getting uploaded to SFTP server, but there is
> an
> >>> exact copy in tomcat server as well.
> >>
> >> Can you give more details? Is a human user pushing via sftp to your
> >> Tomcat server? Or is your Tomcat-deployed application pushing via sftp
> >> to another server? Or something more complicated?
> >>
> >> Is the Tomcat server hosting the sftp server / destination?
> >>
> >> -chris
> >>
> >>> On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
> >>>
> >>>> This will always be an application issue.
> >>>>
> >>>> Mark
> >>>>
> >>>>
> >>>> On 09/08/2022 09:41, Farash Ahamad wrote:
> >>>>> Dear All,
> >>>>>
> >>>>> I am observing there and several documents (pdf, png, jpeg, etc)
> which
> >>>> the
> >>>>> end user uploads in the application getting stored in tomcat /
> >> directory.
> >>>>>
> >>>>> I would like to understand whether this is a bug in the application
> >> code
> >>>> or
> >>>>> in tomcat.
> >>>>>
> >>>>> Application based on: Java Spring Boot 2.1.3
> >>>>> Tomcat version: 9.0.41
> >>>>> OS Version: RHEL 7.9
> >>>>> Document Destination: SFTP server (Unified gluster FS through Serv-U)
> >>>>>
> >>>>> Appreciate your help.
> >>>>>
> >>>>> Thanks & Regards,
> >>>>> Farash Ahamad
> >>>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: End user files uploaded to sftp getting stored in tomcat root directory
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Farash,
On 8/9/22 09:23, Farash Ahamad wrote:
> Hi Chris,
>
> There is an application portal running on tomcat used by many users, where
> they create profiles, upload documents, etc.
> When they upload the document via portal, the application pushes it to sftp
> on another server, but sometimes a copy is stored in the root directory
> tomcat server with exact details like filename, size, etc.
So your users upload to your application, which then uploads the file
via sftp?
My guess is that your application does something like this:
public void service(Request, Response) {
String filename = Request.getParameter("filename");
InputStream in = Request.getInputStream();
OutputStream out = new FileOutputStream(filename);
while(in.read(...)) {
out.write(...);
}
out.close();
in.close();
FTPClient client = new FTPClient();
client.connect();
client.put(filename);
}
By using the Tomcat server as a temporary location for files, there is
the possibility that uploaded-files will stick-around in that directory,
especially if the code isn't very careful about resource-management and
error-handling.
I would immediately audit your code for the following:
1. Proper destination directory. If users can upload files to your
Tomcat directory, what happens if I upload a .jsp file and then request
that file over HTTP from your server? Will it execute the file? :0 You
should write all files into the container-provided temp directory. Ask
if you don't know what this it.
2. Filename sanitization. If a user can upload a file, can they
overwrite local files? Can they perform directory-traversals? What
happens if I upload /etc/passwd or conf/server.xml?
3. Proper resource management (e.g. look for close() and delete() for
everything you do locally)
4. Maybe you don't even need to store the file locally. Does your sftp
client library allow you to stream files directly to the remote server?
It would be better to never write the file bytes onto the Tomcat server
in the first place.
Hope that helps,
-chris
> On Tue, Aug 9, 2022 at 4:18 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> Farash,
>>
>> On 8/9/22 04:55, Farash Ahamad wrote:
>>> Just to add, the file is getting uploaded to SFTP server, but there is an
>>> exact copy in tomcat server as well.
>>
>> Can you give more details? Is a human user pushing via sftp to your
>> Tomcat server? Or is your Tomcat-deployed application pushing via sftp
>> to another server? Or something more complicated?
>>
>> Is the Tomcat server hosting the sftp server / destination?
>>
>> -chris
>>
>>> On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> This will always be an application issue.
>>>>
>>>> Mark
>>>>
>>>>
>>>> On 09/08/2022 09:41, Farash Ahamad wrote:
>>>>> Dear All,
>>>>>
>>>>> I am observing there and several documents (pdf, png, jpeg, etc) which
>>>> the
>>>>> end user uploads in the application getting stored in tomcat /
>> directory.
>>>>>
>>>>> I would like to understand whether this is a bug in the application
>> code
>>>> or
>>>>> in tomcat.
>>>>>
>>>>> Application based on: Java Spring Boot 2.1.3
>>>>> Tomcat version: 9.0.41
>>>>> OS Version: RHEL 7.9
>>>>> Document Destination: SFTP server (Unified gluster FS through Serv-U)
>>>>>
>>>>> Appreciate your help.
>>>>>
>>>>> Thanks & Regards,
>>>>> Farash Ahamad
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: End user files uploaded to sftp getting stored in tomcat root directory
Posted by Farash Ahamad <fa...@gmail.com>.
Hi Chris,
There is an application portal running on tomcat used by many users, where
they create profiles, upload documents, etc.
When they upload the document via portal, the application pushes it to sftp
on another server, but sometimes a copy is stored in the root directory
tomcat server with exact details like filename, size, etc.
Regards,
Farash
On Tue, Aug 9, 2022 at 4:18 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Farash,
>
> On 8/9/22 04:55, Farash Ahamad wrote:
> > Just to add, the file is getting uploaded to SFTP server, but there is an
> > exact copy in tomcat server as well.
>
> Can you give more details? Is a human user pushing via sftp to your
> Tomcat server? Or is your Tomcat-deployed application pushing via sftp
> to another server? Or something more complicated?
>
> Is the Tomcat server hosting the sftp server / destination?
>
> -chris
>
> > On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
> >
> >> This will always be an application issue.
> >>
> >> Mark
> >>
> >>
> >> On 09/08/2022 09:41, Farash Ahamad wrote:
> >>> Dear All,
> >>>
> >>> I am observing there and several documents (pdf, png, jpeg, etc) which
> >> the
> >>> end user uploads in the application getting stored in tomcat /
> directory.
> >>>
> >>> I would like to understand whether this is a bug in the application
> code
> >> or
> >>> in tomcat.
> >>>
> >>> Application based on: Java Spring Boot 2.1.3
> >>> Tomcat version: 9.0.41
> >>> OS Version: RHEL 7.9
> >>> Document Destination: SFTP server (Unified gluster FS through Serv-U)
> >>>
> >>> Appreciate your help.
> >>>
> >>> Thanks & Regards,
> >>> Farash Ahamad
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: End user files uploaded to sftp getting stored in tomcat root directory
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Farash,
On 8/9/22 04:55, Farash Ahamad wrote:
> Just to add, the file is getting uploaded to SFTP server, but there is an
> exact copy in tomcat server as well.
Can you give more details? Is a human user pushing via sftp to your
Tomcat server? Or is your Tomcat-deployed application pushing via sftp
to another server? Or something more complicated?
Is the Tomcat server hosting the sftp server / destination?
-chris
> On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
>
>> This will always be an application issue.
>>
>> Mark
>>
>>
>> On 09/08/2022 09:41, Farash Ahamad wrote:
>>> Dear All,
>>>
>>> I am observing there and several documents (pdf, png, jpeg, etc) which
>> the
>>> end user uploads in the application getting stored in tomcat / directory.
>>>
>>> I would like to understand whether this is a bug in the application code
>> or
>>> in tomcat.
>>>
>>> Application based on: Java Spring Boot 2.1.3
>>> Tomcat version: 9.0.41
>>> OS Version: RHEL 7.9
>>> Document Destination: SFTP server (Unified gluster FS through Serv-U)
>>>
>>> Appreciate your help.
>>>
>>> Thanks & Regards,
>>> Farash Ahamad
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: End user files uploaded to sftp getting stored in tomcat root directory
Posted by Farash Ahamad <fa...@gmail.com>.
Thanks Mark!
Just to add, the file is getting uploaded to SFTP server, but there is an
exact copy in tomcat server as well.
On Tue, Aug 9, 2022 at 11:46 AM Mark Thomas <ma...@apache.org> wrote:
> This will always be an application issue.
>
> Mark
>
>
> On 09/08/2022 09:41, Farash Ahamad wrote:
> > Dear All,
> >
> > I am observing there and several documents (pdf, png, jpeg, etc) which
> the
> > end user uploads in the application getting stored in tomcat / directory.
> >
> > I would like to understand whether this is a bug in the application code
> or
> > in tomcat.
> >
> > Application based on: Java Spring Boot 2.1.3
> > Tomcat version: 9.0.41
> > OS Version: RHEL 7.9
> > Document Destination: SFTP server (Unified gluster FS through Serv-U)
> >
> > Appreciate your help.
> >
> > Thanks & Regards,
> > Farash Ahamad
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: End user files uploaded to sftp getting stored in tomcat root directory
Posted by Mark Thomas <ma...@apache.org>.
This will always be an application issue.
Mark
On 09/08/2022 09:41, Farash Ahamad wrote:
> Dear All,
>
> I am observing there and several documents (pdf, png, jpeg, etc) which the
> end user uploads in the application getting stored in tomcat / directory.
>
> I would like to understand whether this is a bug in the application code or
> in tomcat.
>
> Application based on: Java Spring Boot 2.1.3
> Tomcat version: 9.0.41
> OS Version: RHEL 7.9
> Document Destination: SFTP server (Unified gluster FS through Serv-U)
>
> Appreciate your help.
>
> Thanks & Regards,
> Farash Ahamad
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org