[GeoNetwork-devel] Restricting file uploads to a whitelisted set of types in GeoNetwork

Hi,

In a recent PEN test the testers reported that it’s possible to upload malicious files to GeoNetwork and force them to be downloaded by users. The approach they used was to upload a custom formatter but presumably the issue would occur in other places in the code too.

I’m wondering if there’s anything that can be done in tomcat config to provide a whitelist of file types that can be uploaded? Or should I report this as an issue?

Thanks

Jo

···

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek
Please note that currently I do not work on Friday afternoons. For urgent responses at that time, please visit support.astuntechnology.com or phone our office on 01372 744009

Hi Jo

I am not sure if that can be setup in Tomcat. It can be something to configure in GeoNetwork, with a default list of files that users can customise, and use Apache Tika or https://docs.oracle.com/javase/7/docs/api/java/nio/file/Files.html#probeContentType(java.nio.file.Path) to identify the file mimetype from the file content.

Specifically for the formatters upload, I’m not really sure if that is used (same for schemas upload), I think we should do a cleanup for these features as well.

Regards,
Jose García

···

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.