Hi,
In a recent PEN test the testers reported that it’s possible to upload malicious files to GeoNetwork and force them to be downloaded by users. The approach they used was to upload a custom formatter but presumably the issue would occur in other places in the code too.
I’m wondering if there’s anything that can be done in tomcat config to provide a whitelist of file types that can be uploaded? Or should I report this as an issue?
Thanks
Jo
···
Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek
Please note that currently I do not work on Friday afternoons. For urgent responses at that time, please visit support.astuntechnology.com or phone our office on 01372 744009
Hi Jo
I am not sure if that can be setup in Tomcat. It can be something to configure in GeoNetwork, with a default list of files that users can customise, and use Apache Tika or https://docs.oracle.com/javase/7/docs/api/java/nio/file/Files.html#probeContentType(java.nio.file.Path) to identify the file mimetype from the file content.
Specifically for the formatters upload, I’m not really sure if that is used (same for schemas upload), I think we should do a cleanup for these features as well.
Regards,
Jose García
···
Vriendelijke groeten / Kind regards,
Jose García
Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664
Please consider the environment before printing this email.