• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 710
  • Last Modified:

Regular Expression: Check for substrings in a file name


Open in new window

Hi,

We use jump uploader (applet)  to upload files to our application.  There is a requirement to block certain files, which contain a certain set of substrings or characters in it. It uses regex to check for file name patterns and here is the regex string it uses to check for patterns:

<param name="uc_fileNamePattern" value="(?i)^(.*\.(?!exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)[^\.]*)|([^\.]+)$">

So the above example blocks files with any of the extensions listed, eg;
exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar

We need to modify the regex so those extensions are still blocked, but additionally we want to block filenames that contain any of the terms listed below.

For example we would want to block ‘dropship.pdf’ because the filename contains the term ‘drop’

The new set of characters/Substrings which need to be checked in the file name are:
--
;
/*
char
alter
begin
cast
create
cursor
declare
delete
drop
fetch
insert
kill
open
select
sys
table
update
exec


The regex string provided in the value needs to be modified, so that files  containing above substrings in the file name are blocked. Any help with that will be hugely appreciated.


Thanks In Advance,
Abhinit
0
abhinitd
Asked:
abhinitd
  • 14
  • 8
  • 3
  • +2
2 Solutions
 
käµfm³d 👽Commented:
Try:

(?i)(--|;|/\*|char|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|table|update|exec|\.(exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)$)

Open in new window

0
 
CEHJCommented:
Try:
You'd probably want to use non-capturing groups per the original or you'd like give the regex engine a considerable and unnecessary overhead
0
 
käµfm³d 👽Commented:
@CEHJ

Admittedly, I was being lazy, but I doubt the overhead of a capture group would cause an issue in this case.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
RoonaanCommented:
Isn't it better to change your serverside script to be sql injection proof? What if someone with bad intents doesn't use your applet, but a straight HTTP file upload call? Your DB is still unprotected.

My 2cts,

-r-
0
 
abhinitdAuthor Commented:
Hi Roonan,

We have http request filtering module installed on our web server to take care of SQL injection attempts, and that is the reason why we need to extent that regex expression mentioned above, because when user tries upload the files with those set of substrings in the file name, iis does not allow it to be processed and displays an eror page to the users which looks a little ugly. So, we need to block those keywords/substrings from the file name at the time of user upload. Check this out:

http://blogs.iis.net/wadeh/archive/2008/12/18/filtering-for-sql-injection-on-iis-7-and-later.aspx

Thanks,
Abhinit
0
 
abhinitdAuthor Commented:
@kaufmed:

There was not any overhead but the regex string u suggested did not work as desired, it's blocking every file name now :)

Did we miss anything om the regex string?

Thanks in Advance,
Abhinit
0
 
CEHJCommented:
Try

<param name="uc_fileNamePattern" value="(?i)(?:^.*(?:--|;|/\*|char|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|table|update|exec).*$)|^(.*\.(?!exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)[^\.]*)|([^\.]+)$">

Open in new window

0
 
abhinitdAuthor Commented:
Hi CEHJ,

Thanks a ton for replying back, i tried your suggestion but it does not seem to work. It's blocking the extensions (for eg .exe), but when i tried to upload a file named:

Community Donations delete New.pdf

regex was not able to find delete in the file name. Maybe we are missing something?


Thanks in Advance,
Abhinit
0
 
CEHJCommented:
Well there is of course the added complication of how the tag operates. It would be easier enough to test the operation of the pattern in an independent application
0
 
krakatoaCommented:
Not* a regex user much at all here, but if you can get hold of the filenames easily, then :

String filename = new String("beginmaliciouscharcast.alter");

CharSequence[] cs = {"char","alter","begin","cast","create","cursor"};

for(CharSequence s : cs){
if(filename.contains(s)){System.out.println("Hit!");}
}

Open in new window


perhaps could help.
0
 
CEHJCommented:
Can you test the following just for extensions please?

<param name="uc_fileNamePattern" value="(?i)^(.*\.(?:exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar))|(?:[^\.]+)$">

Open in new window

0
 
abhinitdAuthor Commented:
Solved it myself, closing the question now....!
0
 
abhinitdAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for abhinitd's comment #a38337421

for the following reason:

worked and fixed the issue myself. Experts advice did not help.
0
 
CEHJCommented:
Plenty of help given. Little feedback
0
 
abhinitdAuthor Commented:
i appreciated your help/comments but it did not work in my cause, i am ready to give the feedback..no problem..how to do that?
0
 
CEHJCommented:
I asked for feedback in my last comment, but it's too late now
0
 
abhinitdAuthor Commented:
appreciate the help
0
 
abhinitdAuthor Commented:
gave u the feedback, please get this questin closed now.
0
 
krakatoaCommented:
Spurning the comments of a Savant is just *not* the way to go, abhinitd.
0
 
abhinitdAuthor Commented:
@krakota: i am sorry but i never did, i always appreciated the suggestion provided here and that is the reason why i selected CEHJ's last sugestion as the answer, even though it was not the solution to my cause....! If you read the entitre thread you wil realize that i have always appreciated the sugestions posted here on the question.

Just dont want to keep thsi question open when it's fixed already...!

Thanks,
Abhnit
0
 
krakatoaCommented:
It's common EE etiquette to post a problem's resolution for the benefit of future visitors. Maybe if you need help in the future, you could bear that in mind; although I won't be reading it myself, of course, you follow.
0
 
abhinitdAuthor Commented:
Hi,

I was away for some work, sorry about that. I am posting my complete troubleshooting steps here now:

As it was the jump uploader (applet), and i had to write a regex to fix the issu, i learned it and wrote my own and here is the one which workd for me:

var reName = "/\-\-|;|\/\*|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|update|exec/i"; 

Open in new window


U can paste above stringanywhere and it should work, i crete two different string for checking file extension and file names ( as explained in my first post). Here is the complete post if someone comes through the same issue in jump uploader:

function uploaderFileAdded(uploader, file) 
      { 
          
         var sName = file.getName() + ''; 
         var reExtension = /\.(?:exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)$/i; 
         var reName = /\-\-|;|\/\*|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|update|exec/i; 
         if (sName.match(reExtension) || sName.match(reName)) 
         {        
            setTimeout(function() { uploader.removeFile(file);uploader.getMainView().showWarning('Info here'); alert(sName + ' is a disallowed filename.'); }, 100); 
         } 
          
         return true;        
      } 

Open in new window



Thanks,
Abhinit
0
 
abhinitdAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for abhinitd's comment #a38357067

for the following reason:

fixed it myself, putting my solution as asked by the admin.
0
 
CEHJCommented:
Yes and you used elements from material both I and others posted
0
 
abhinitdAuthor Commented:
@CEHJ:

Actually i did not use it, it did not help me much as i had to read a lot of regular expression myselfy. but why are u posting objections? i think i  laready gave you points and selected your answer as helpful..! I appreciated whatever help you have tried to give me...!
0
 
CEHJCommented:
Actually i did not use it
var reExtension = /\.(?:exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)$/i; 

Open in new window


Where exactly in your own previous code did you use that non-capturing grouping exactly?
0
 
abhinitdAuthor Commented:
When the custom strings suggested by you did not work, i wrote my custom function and solved it my way.. but i dont think we are going anywhere with this discussion, i really really appreciate all of the help people gave me here and therefore, i did select your last post as the solution when u posed an objection very first time here, i am here not to argue and want this question to be closed as my problem does not exist anymore. If you want, i can select tour suggestion as the solution again, i have no issues with that, I would be more than happy to do that...!
0
 
abhinitdAuthor Commented:
Hi _alias99,

Thank you very much for helping me out.

Best Regards,
Abhinit
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 14
  • 8
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now