How to identify files uploaded already if it is renamed - asp.net

Is there a way to know if a user is uploading a files which already has been uploaded before.
This is without comparing file names. This is in case the user renames the file.
Scenario
User uploads file via their web browser.
User renames file locally. User uploads file.
Webserver detects the renamed file and saves it as the renamed file name while removing the older file.

You could do a checksum on the file first submitted, store this checksum in a datatable with the filename. When the user submits again the renamed file you calculate again the checksum and search in the database if the checksum is already present.
The weakness of this solution is in the uniqueness of the checksum.
With this example I think you have good chances to get an unique checksum
(Expecting to be disowned)
public string GetChecksum(string filePath, HashAlgorithm algorithm)
{
using (var stream = new BufferedStream(File.OpenRead(filePath), 100000))
{
HashAlgorithm SHA512 = new SHA512Managed();
byte[] hash = SHA512.ComputeHash(stream);
return BitConverter.ToString(hash).Replace("-", String.Empty);
}
}

Related

How to fix directory traversal security vulnerability in C# asp.net?

Find Snapshot here While running the [IBM Security AppScan] tool for one of my asp.net mvc web applications, I am getting path traversal vulnerabilities in my code. Please see snapshot attached and sample code to understand the issue better. Is there a way to fix such issues?
Sample Code:
var storagePath = ConfigurationManager.AppSettings.Get("DOCS_STORAGE_PATH") + #"\Attachments";
var strMonth = DateTime.Now.Month.ToString().Length == 1 ? "0" + DateTime.Now.Month : DateTime.Now.Month.ToString();
var strYear = DateTime.Now.Year.ToString();
var strFolder = strYear + #"\" + strMonth + #"\";
storagePath = storagePath + #"\" + strFolder;
if (!Directory.Exists(#"" + storagePath))
{
Directory.CreateDirectory(#"" + storagePath);
}
You need to enforce your input validation to solve your issue.
you should validate storagePath in the first line after the reading of the configuration.
But, anyway, If the path is store in a configuration on your server, I suspect a False Postive from AppScan Source
If you are using asp.net MVC framework then you don't need to worry about directory traversal at-least for the config files, dll , cshtml files etc. IIS will not server these types of sensitive information at any cost. But still its always better to encrypt your config files if it has some sensitive information like password , connection string etc ..
It's better to encrypt the machine key and connection string info in config files for ease of use.
The next point if the files we save our self, it may be in database or in server path.
In both cases we have to be careful about the attacks. Not only directory attack but also file upload attack.
If your file share is readable by the user that your app pool is
running under (Network Service by default) you can remove the virtual
directory completely and create an ASP.NET(any framework)application
that will stream the files to the browser. If you're using MVC it's
simply returning a file result. This has an added benefit in that you
will be able to restrict the users from downloading the files
Note : Since you are taking the path from web.config doesn't meant that, the files under that path are safe against directory attack. If a hacker somehow get the path , then he can try that directly in the browser\hacking tools\etc.. So the objective should be to secure the files not the path
Simple idea is to create another application/method which is capable of serving the file stream based on request. There you can validate the user and serve the file, file can even be saved in database or file system (there app pool user's doesn't have direct access)

Authentication Issue when accesing Reporting Service

Well, I already tried a lot of stuff to solve this issue, but none did.
I developed a Reporting Service (2005) and deployed it.
This report will be used by everyone who access a website (it's a internet site, so, won't be accessed by intranet) developed on the framework 3.5 (but I think the framework's version is not the source of the problem).
When the user clicks on the button to download the .pdf which the Reporting automatically generates (the end-user never sees the html version of the Report), it asks for windows credentials.
If the user enters a valid credential (and this credential must be a valid credential on the server which the Reporting Service is deployed), the .pdf is obviously downloaded.
But this can't happen. The end-user must download the .pdf directly, without asking for credentials. Afterall, he doesn't even have the credentials.
Response.Redirect("http://MyServer/ReportServer/Pages/ReportViewer.aspx?%2fReportLuiza%2fReportContract&rs:Format=PDF&NMB_CONTRACT=" + txtNmbContractReport.Text);
The code snippet above, shows the first version of my code when the user clicks the button. This one propmts for the Windows credentials.
I already tried to change on IIS the Authentication of the virtual directory ReportServer, but the only one which works is the Windows Credentials. The other ones doesn't even let me open the virtual directory of the Report or the Report Manager's virtual directory.
When I tried to change it to Anonymous Authentication he couldn't access the DataBase. Then I choose the option to Credentials stored securely on the report server. Still doesn't work.
The physical directory of my ReportServer virtual directory points to the reporting server folder on the Hard Disk (C:\Program Files\Microsoft SQL Server\MSSQL.5\Reporting Services\ReportServer). I moved the same folder to my wwwroot directory.
Didn't work. The virtual directory didn't even open. Then I read this could be a problem because I had the same name on two folders (one in C: and other in wwwroot). So I changed the name of the one in wwwroot. Same issue of the DataBase connection couldn't be done.
I returned the physical path to C:
Below, is the second version of my button's event code:
ReportExecutionService rs = new ReportExecutionService();
rs.Credentials = System.Net.CredentialCache.DefaultCredentials;
rs.Url = "http://MyServer/ReportServer/ReportExecution2005.asmx";
// Render arguments
byte[] result = null;
string reportPath = "/ReportLuiza/ReportContract";
string format = "PDF";
// Prepare report parameter.
ParameterValue[] parameters = new ParameterValue[1];
parameters[0] = new ParameterValue();
parameters[0].Name = "NMB_CONTRACT";
parameters[0].Value = txtNmbContractReport.Text;
string encoding;
string mimeType;
string extension;
Warning[] warnings = null;
string[] streamIDs = null;
ExecutionInfo execInfo = new ExecutionInfo();
ExecutionHeader execHeader = new ExecutionHeader();
rs.ExecutionHeaderValue = execHeader;
execInfo = rs.LoadReport(reportPath, null);
rs.SetExecutionParameters(parameters, "pt-br");
String SessionId = rs.ExecutionHeaderValue.ExecutionID;
try
{
result = rs.Render(format, null, out extension, out encoding, out mimeType, out warnings, out streamIDs);
execInfo = rs.GetExecutionInfo();
}
catch (SoapException se)
{
ShowMessage(se.Detail.OuterXml);
}
// Write the contents of the report to an pdf file.
try
{
using (FileStream stream = new FileStream(#"c:\report.pdf", FileMode.Create, FileAccess.ReadWrite))
{
stream.Write(result, 0, result.Length);
stream.Close();
}
}
catch (Exception ex)
{
ShowMessage(ex.Message);
}
For this code, I had to add a WebReference to the .asmx file mentioned in it.
When I'm debugging (on Visual Studio 2010), the code above works fine, doesn't asking for credentials (unfortunately, it doesn't prompt the option to open, save or cancel de file download. But this is another problem, no need to worry with it now) and save the file on C:.
When published, the code doesn't work. An erros says: The permission granted to user 'IIS APPPOOL\ASP.NET v4.0' are insuficient for performing this operation. So I added to the Reporting Service's users this user. When I tried again, the error is: Login failed for user IISAPPPOOL\ASP.NET v4.0. Cannot create a connection to data source 'MyDataSourceName'.
Both Report and WebSite are deployed/published on the same server with a IIS 7.5 version.
Summarizing: I need a solution where there is no credential prompt, and the user can choose where it wants to save the .pdf file.
Any help will be appreciated.
If you need more information to help me, just ask.
Thanks in advance.
One solution would be to create a new App Pool with an account that has the rights to access your restricted resources and then assign your web application to it.

File upload in servlet corrupts the file

I am uploading a file using using (Valums uploader) and I using servlet at server side. File type is application/pdf. Code is :
String filename= request.getHeader("X-File-Name");
InputStream is = request.getInputStream();
File tmp = File.createTempFile(filename, "");
tmp.deleteOnExit();
FileOutputStream fos = new FileOutputStream(tmp);
IOUtils.copy(is, fos);
byte[] bytes = new byte[(int) tmp.length()];
is.read(bytes);
Now these bytes are getting stored into database as longblob. But it seems that inputStream in above code is adding some more data in the file thats why file data is getting corrupted. I download the same data as pdf file, found that both- original uploaded file and now downloaded file have the same size, but when the downloaded file is opened in Acrobat, it reports "File is corrupted". For upload request I have used only file input. So there are no chances of other input params in inputStream. Also the bytes array in above code are as it is passed for download. Why is data getting corrupted?
Your problem might be the data length you are reading. I had similar problem and posted on this issue link
Java: Binary File Upload using Restlet + Apache Commons FileUpload
Hope this helps

where do on-fly-generated-images with a servlet store?

if I'm generating images using servlets/actions something like this:
byte[] imageBytes = getImageAsBytes();
response.setContentType("image/jpeg");
response.setContentLength(imageBytes.length);
response.getOutputStream().write(imageBytes);
when user access the servlet, where are those images storing? will it download to user temp folder and load it o it's saving user HTTP_SESSION?
domain.com/image/randomImageServlet?param1=a&param2=b
It isn't stored anywhere except, maybe, in the cache of the browser. Why would you want it to be stored anywhere. You load the bytes in memory, and stream them to the response output stream. They're just downloaded on the wire exactly like your generated HTML is.

Split zip file using DotNetZip Library

I'm using DotNetZip Library to create a zip file with about 100MB.I'm saving the zip file directly to the Response.OutputStream
Response.Clear();
// no buffering - allows large zip files to download as they are zipped
Response.BufferOutput = false;
String ReadmeText= "Dynamic content for a readme file...\n" +
DateTime.Now.ToString("G");
string archiveName= String.Format("archive-{0}.zip",
DateTime.Now.ToString("yyyy-MMM-dd-HHmmss"));
Response.ContentType = "application/zip";
Response.AddHeader("content-disposition", "attachment; filename=" + archiveName);
using (ZipFile zip = new ZipFile())
{
// add a file entry into the zip, using content from a string
zip.AddFileFromString("Readme.txt", "", ReadmeText);
// add the set of files to the zip
zip.AddFiles(filesToInclude, "files");
// compress and write the output to OutputStream
zip.Save(Response.OutputStream);
}
Response.Close();
what i need is to split this 100MB file in to with about 20MB sections and provide the download facility to the user.how can i achieve this?
Your question is sort of independent of the ZIP aspect. Basically it seems you want to make available for download a large file of 100mb or more, and you want to do it in parts. Some options:
Save it to a regular file, then transmit it in parts. The client would have to make a distinct download request for each of the N parts, selecting the appropriate section of the file via the HTTP Range header. The server would have to be set up to server ZIP files with the appropriate MIME type etc.
save it to a split (spanned) zip file, which implies N different files. The client would then make an HTTP GET for each of the distinct files. The server would have to be set up to server .zip, .z00, .z01, etc. I'm not sure if built-in OS tools handle split zip files appropriately.
save the file as one large blob, and have the client use BITS or some other restartable download facility.

Resources