?
Solved

Regular Expression: Check for substrings in a file name

Posted on 2012-08-17
31
Medium Priority
?
703 Views
Last Modified: 2012-09-01

Open in new window

Hi,

We use jump uploader (applet)  to upload files to our application.  There is a requirement to block certain files, which contain a certain set of substrings or characters in it. It uses regex to check for file name patterns and here is the regex string it uses to check for patterns:

<param name="uc_fileNamePattern" value="(?i)^(.*\.(?!exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)[^\.]*)|([^\.]+)$">

So the above example blocks files with any of the extensions listed, eg;
exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar

We need to modify the regex so those extensions are still blocked, but additionally we want to block filenames that contain any of the terms listed below.

For example we would want to block ‘dropship.pdf’ because the filename contains the term ‘drop’

The new set of characters/Substrings which need to be checked in the file name are:
--
;
/*
char
alter
begin
cast
create
cursor
declare
delete
drop
fetch
insert
kill
open
select
sys
table
update
exec


The regex string provided in the value needs to be modified, so that files  containing above substrings in the file name are blocked. Any help with that will be hugely appreciated.


Thanks In Advance,
Abhinit
0
Comment
Question by:abhinitd
  • 14
  • 8
  • 3
  • +2
28 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 38304357
Try:

(?i)(--|;|/\*|char|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|table|update|exec|\.(exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)$)

Open in new window

0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38304399
Try:
You'd probably want to use non-capturing groups per the original or you'd like give the regex engine a considerable and unnecessary overhead
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 38304410
@CEHJ

Admittedly, I was being lazy, but I doubt the overhead of a capture group would cause an issue in this case.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 49

Expert Comment

by:Roonaan
ID: 38304701
Isn't it better to change your serverside script to be sql injection proof? What if someone with bad intents doesn't use your applet, but a straight HTTP file upload call? Your DB is still unprotected.

My 2cts,

-r-
0
 

Author Comment

by:abhinitd
ID: 38304924
Hi Roonan,

We have http request filtering module installed on our web server to take care of SQL injection attempts, and that is the reason why we need to extent that regex expression mentioned above, because when user tries upload the files with those set of substrings in the file name, iis does not allow it to be processed and displays an eror page to the users which looks a little ugly. So, we need to block those keywords/substrings from the file name at the time of user upload. Check this out:

http://blogs.iis.net/wadeh/archive/2008/12/18/filtering-for-sql-injection-on-iis-7-and-later.aspx

Thanks,
Abhinit
0
 

Author Comment

by:abhinitd
ID: 38307144
@kaufmed:

There was not any overhead but the regex string u suggested did not work as desired, it's blocking every file name now :)

Did we miss anything om the regex string?

Thanks in Advance,
Abhinit
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38307587
Try

<param name="uc_fileNamePattern" value="(?i)(?:^.*(?:--|;|/\*|char|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|table|update|exec).*$)|^(.*\.(?!exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)[^\.]*)|([^\.]+)$">

Open in new window

0
 

Author Comment

by:abhinitd
ID: 38307642
Hi CEHJ,

Thanks a ton for replying back, i tried your suggestion but it does not seem to work. It's blocking the extensions (for eg .exe), but when i tried to upload a file named:

Community Donations delete New.pdf

regex was not able to find delete in the file name. Maybe we are missing something?


Thanks in Advance,
Abhinit
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38307664
Well there is of course the added complication of how the tag operates. It would be easier enough to test the operation of the pattern in an independent application
0
 
LVL 17

Expert Comment

by:krakatoa
ID: 38307665
Not* a regex user much at all here, but if you can get hold of the filenames easily, then :

String filename = new String("beginmaliciouscharcast.alter");

CharSequence[] cs = {"char","alter","begin","cast","create","cursor"};

for(CharSequence s : cs){
if(filename.contains(s)){System.out.println("Hit!");}
}

Open in new window


perhaps could help.
0
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 1500 total points
ID: 38307701
Can you test the following just for extensions please?

<param name="uc_fileNamePattern" value="(?i)^(.*\.(?:exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar))|(?:[^\.]+)$">

Open in new window

0
 

Author Comment

by:abhinitd
ID: 38337421
Solved it myself, closing the question now....!
0
 

Author Comment

by:abhinitd
ID: 38337457
I've requested that this question be closed as follows:

Accepted answer: 0 points for abhinitd's comment #a38337421

for the following reason:

worked and fixed the issue myself. Experts advice did not help.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38337458
Plenty of help given. Little feedback
0
 

Author Comment

by:abhinitd
ID: 38337472
i appreciated your help/comments but it did not work in my cause, i am ready to give the feedback..no problem..how to do that?
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38337484
I asked for feedback in my last comment, but it's too late now
0
 

Author Comment

by:abhinitd
ID: 38337560
appreciate the help
0
 

Author Comment

by:abhinitd
ID: 38337562
gave u the feedback, please get this questin closed now.
0
 
LVL 17

Expert Comment

by:krakatoa
ID: 38337571
Spurning the comments of a Savant is just *not* the way to go, abhinitd.
0
 

Author Comment

by:abhinitd
ID: 38337703
@krakota: i am sorry but i never did, i always appreciated the suggestion provided here and that is the reason why i selected CEHJ's last sugestion as the answer, even though it was not the solution to my cause....! If you read the entitre thread you wil realize that i have always appreciated the sugestions posted here on the question.

Just dont want to keep thsi question open when it's fixed already...!

Thanks,
Abhnit
0
 
LVL 17

Expert Comment

by:krakatoa
ID: 38337760
It's common EE etiquette to post a problem's resolution for the benefit of future visitors. Maybe if you need help in the future, you could bear that in mind; although I won't be reading it myself, of course, you follow.
0
 

Accepted Solution

by:
abhinitd earned 0 total points
ID: 38357067
Hi,

I was away for some work, sorry about that. I am posting my complete troubleshooting steps here now:

As it was the jump uploader (applet), and i had to write a regex to fix the issu, i learned it and wrote my own and here is the one which workd for me:

var reName = "/\-\-|;|\/\*|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|update|exec/i"; 

Open in new window


U can paste above stringanywhere and it should work, i crete two different string for checking file extension and file names ( as explained in my first post). Here is the complete post if someone comes through the same issue in jump uploader:

function uploaderFileAdded(uploader, file) 
      { 
          
         var sName = file.getName() + ''; 
         var reExtension = /\.(?:exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)$/i; 
         var reName = /\-\-|;|\/\*|alter|begin|cast|create|cursor|declare|delete|drop|fetch|insert|kill|open|select|sys|update|exec/i; 
         if (sName.match(reExtension) || sName.match(reName)) 
         {        
            setTimeout(function() { uploader.removeFile(file);uploader.getMainView().showWarning('Info here'); alert(sName + ' is a disallowed filename.'); }, 100); 
         } 
          
         return true;        
      } 

Open in new window



Thanks,
Abhinit
0
 

Author Comment

by:abhinitd
ID: 38357117
I've requested that this question be closed as follows:

Accepted answer: 0 points for abhinitd's comment #a38357067

for the following reason:

fixed it myself, putting my solution as asked by the admin.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38357118
Yes and you used elements from material both I and others posted
0
 

Author Comment

by:abhinitd
ID: 38357218
@CEHJ:

Actually i did not use it, it did not help me much as i had to read a lot of regular expression myselfy. but why are u posting objections? i think i  laready gave you points and selected your answer as helpful..! I appreciated whatever help you have tried to give me...!
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 38357235
Actually i did not use it
var reExtension = /\.(?:exe|bat|jpg|gif|png|bmp|tif|tiff|asp|aspx|php|html|js|jar)$/i; 

Open in new window


Where exactly in your own previous code did you use that non-capturing grouping exactly?
0
 

Author Comment

by:abhinitd
ID: 38357240
When the custom strings suggested by you did not work, i wrote my custom function and solved it my way.. but i dont think we are going anywhere with this discussion, i really really appreciate all of the help people gave me here and therefore, i did select your last post as the solution when u posed an objection very first time here, i am here not to argue and want this question to be closed as my problem does not exist anymore. If you want, i can select tour suggestion as the solution again, i have no issues with that, I would be more than happy to do that...!
0
 

Author Comment

by:abhinitd
ID: 38357287
Hi _alias99,

Thank you very much for helping me out.

Best Regards,
Abhinit
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java functions are among the best things for programmers to work with as Java sites can be very easy to read and prepare. Java especially simplifies many processes in the coding industry as it helps integrate many forms of technology and different d…
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
Suggested Courses
Course of the Month16 days, 14 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question