Java File Read Path Manipulation

Author: sahildari

Path Manipulation/Path Manipulation while File Upload/java/.gitignore

@@ -17,33 +17,48 @@ The Path Manipulation logic checks for the following:
 ## Directory Structure for Path Manipulation
 ```
 Path Manipulation
-    ├───Path Manipulation while File Read
-    │   ├───java
-    │   └───python
-    │       └───securecodingexamples
-    │           └───fileread
-    │               └───pathmaniuplation
-    │                   └───src
-    │                       └───templates
-    └───Path Manipulation while File Upload
-        ├───java
-        │   └───src
-        │       ├───main
-        │       │   ├───java
-        │       │   │   └───securecodingexamples
-        │       │   │       └───fileupload
-        │       │   │           └───pathmanipulation
-        │       │   └───resources
-        │       │       └───static
-        │       └───test
-        │           └───java
-        │               └───securecodingexamples
-        │                   └───fileupload
-        │                       └───pathmanipulation
-        └───python
-            └───securecodingexamples
-                └───fileupload
-                    └───pathmanipulation
-                        └───src
-                            └───templates
-```
+├───while File Read
+│   ├───java
+│   │   └───fileread.pathmanipulation
+│   │       └───src
+│   │           ├───main
+│   │           │   ├───java
+│   │           │   │   └───securecodingexamples
+│   │           │   │       └───fileread
+│   │           │   │           └───pathmanipulation
+│   │           │   └───resources
+│   │           │       └───templates
+│   │           └───test
+│   │               └───java
+│   │                   └───securecodingexamples
+│   │                       └───fileread
+│   │                           └───pathmanipulation
+│   └───python
+│       └───securecodingexamples
+│           └───fileread
+│               └───pathmaniuplation
+│                   └───src
+│                       └───templates
+└───while File Upload
+    ├───java
+    │   └───fileupload.pathmanipulation
+    │       └───src
+    │           ├───main
+    │           │   ├───java
+    │           │   │   └───securecodingexamples
+    │           │   │       └───fileupload
+    │           │   │           └───pathmanipulation
+    │           │   └───resources
+    │           │       └───static
+    │           └───test
+    │               └───java
+    │                   └───securecodingexamples
+    │                       └───fileupload
+    │                           └───pathmanipulation
+    └───python
+        └───securecodingexamples
+            └───fileupload
+                └───pathmanipulation
+                    └───src
+                        └───templates
+```

Path Manipulation/Path Manipulation while File Upload/java/README.md

@@ -0,0 +1,3 @@
+## Path Manipulation while File Read or while File Download
+
+This logic is helpful while you are facing the ___Path Manipulation___ issue in the File Downlaod/Read functionality. 

Path Manipulation/README.md

@@ -0,0 +1,33 @@
+# Path Manipulation
+
+This maven project is to help to mitigate the path manipulation issues. You can use the logic in the [DownloadController.java](./fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/DownloadController.java) in your local [Maven](https://maven.apache.org/), [Gradle](https://gradle.org/) or other Java Applications.
+
+## Code Structure
+
+[HomeController](./fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/HomeController.java) file serves the [index.html](./fileread.pathmanipulation/src/main/resources/templates/index.html) to serve as the Fronted for the File Upload.
+
+[UploadController.java](./fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/DownloadController.java) file contains the logic for the file Upload and the Filename validation, Extension Validation during the File Upload.
+
+[resources/templates](./fileread.pathmanipulation/src/main/resources/templates/) Directory contains the index.html.
+
+## Installation
+1. Clone the repository:
+```sh
+git clone https://github.com/sahildari/secure-coding-examples
+cd 'Path Manipulation/while File Read/java/fileread.pathmanipulation'
+```
+2. Install the package:
+
+**MacOS/Linux:**
+```sh
+./mvnw clean spring-boot:run
+```
+
+**Windows:**
+```sh
+mvnw.cmd clean spring-boot:run
+```
+3. Open in Browser:
+```
+http://127.0.0.1:8080
+```

Path Manipulation/while File Read/README.md

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>3.4.3</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+	<groupId>securecodingexamples</groupId>
+	<artifactId>fileread.pathmanipulation</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>fileread.pathmanipulation</name>
+	<description>Path Manipulation Secure Coding Example with File Read</description>
+	<url/>
+	<licenses>
+		<license/>
+	</licenses>
+	<developers>
+		<developer/>
+	</developers>
+	<scm>
+		<connection/>
+		<developerConnection/>
+		<tag/>
+		<url/>
+	</scm>
+	<properties>
+		<java.version>21</java.version>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+
+		<dependency>
+    		<groupId>org.springframework.boot</groupId>
+    		<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+</project>

Path Manipulation/while File Read/java/README.md

@@ -0,0 +1,102 @@
+package securecodingexamples.fileread.pathmanipulation;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.UrlResource;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
+
+import java.io.File;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.List;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+@SpringBootApplication
+@RestController
+public class DownloadController {
+
+    private static final Logger logger = Logger.getLogger(DownloadController.class.getName());
+    private static final String TEMP_DIRECTORY = System.getProperty("java.io.tmpdir");
+    private static final String UPLOAD_DIRECTORY = TEMP_DIRECTORY + File.separator + "Uploads";
+    private static final String[] ALLOWED_EXTENSIONS = {"txt", "pdf"};
+    private static final Pattern FILENAME_REGEX_PATTERN = Pattern.compile("[a-zA-Z0-9-_]+");
+
+    public static void main(String[] args) {
+        SpringApplication.run(DownloadController.class, args);
+    }
+
+    @RequestMapping("/download/{filename}")
+    @ResponseBody
+    public ResponseEntity<Resource> downloadFile(@PathVariable String filename) {
+        try {
+            logger.info("Download request received for: " + filename);
+
+            if (filename==null || !isValidName(filename)) {
+                logger.warning("Invalid filename requested");
+                return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(null);
+            }
+
+            if (filename==null || !isValidExtension(filename)) {
+                logger.warning("Invalid file extension ");
+                return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(null);
+            }
+
+            if (isValidName(filename) && isValidExtension(filename)) {
+                filename = validFilename(filename);
+                Path filePath = Paths.get(UPLOAD_DIRECTORY).resolve(filename).normalize();
+                Resource resource = new UrlResource(filePath.toUri());
+
+                if (!resource.exists() || !resource.isReadable()) {
+                    logger.warning("File not found or not readable: " + filename);
+                    return ResponseEntity.status(HttpStatus.NOT_FOUND).body(null);
+                }
+
+                logger.info("File found: " + filename + " at " + filePath);
+                logger.info("Downloading file: " + resource);
+                return ResponseEntity.ok()
+                .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + filename + "\"")
+                .body(resource);
+            }
+            logger.warning("Invalid filename requested");
+            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(null);
+        }
+        
+        catch (Exception e) {
+            logger.severe("Error downloading file: " + e.getMessage());
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(null);
+        }
+    }
+
+    private static boolean isValidName(String filename) {
+        String name = filename.split("\\.", 2)[0];
+        return name.matches(FILENAME_REGEX_PATTERN.pattern());
+    }
+
+    private static String validFilename(String filename) {
+        String name = filename.split("\\.", 2)[0];
+        String extension = filename.split("\\.", 2)[1];
+        return name + "." + extension;
+    }
+
+    private static boolean isValidExtension(String filename) {
+        String extension = filename.split("\\.", 2)[1];
+        for (String ext : ALLOWED_EXTENSIONS) {
+            if (ext.equals(extension)) {
+                return true;
+            }
+        }
+        return false;
+    }
+}

Path Manipulation/while File Read/java/fileread.pathmanipulation/pom.xml

@@ -0,0 +1,33 @@
+package securecodingexamples.fileread.pathmanipulation;
+
+import java.io.File;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class HomeController {
+    private static final String TEMP_DIRECTORY = System.getProperty("java.io.tmpdir");
+    private static final String UPLOAD_DIRECTORY = TEMP_DIRECTORY + File.separator + "Uploads";
+
+    @GetMapping("/")
+    public String listFiles(Model model) {
+        File folder = new File(UPLOAD_DIRECTORY);
+        if (!folder.exists()) {
+            folder.mkdirs();
+        }
+        
+        List<String> files = Arrays.stream(folder.listFiles())
+                .filter(File::isFile)
+                .map(File::getName)
+                .collect(Collectors.toList());
+
+        model.addAttribute("files", files);
+        return "index"; // Renders index.html
+    }
+    
+}

Path Manipulation/while File Read/java/fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/DownloadController.java

@@ -0,0 +1,7 @@
+spring.application.name=fileread.pathmanipulation
+logging.file.path=${java.io.tmpdir}/log
+logging.file=application.log
+logging.level.org.springframework=INFO
+spring.thymeleaf.prefix=classpath:/templates/
+spring.thymeleaf.suffix=.html
+spring.web.resources.static-locations=classpath:/static/

Path Manipulation/while File Read/java/fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/HomeController.java

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Download Files</title>
+</head>
+<body>
+    <h1>Files Available for Download</h1>
+    <ul>
+        <li th:each="file : ${files}">
+            <a th:href="@{download/{filename}(filename=${file})}" th:text="${file}"></a>
+        </li>
+    </ul>
+</body>
+</html>