Package com.oorian.security

Class FileUploadValidator

java.lang.Object

com.oorian.security.FileUploadValidator

public class FileUploadValidator
extends Object

Validates uploaded files against the configured FileUploadConfig policies.

FileUploadValidator checks file size, extension, MIME type, and optionally validates the file's magic numbers (file signature bytes) to prevent content-type spoofing attacks.

Usage:

 FileUploadValidator.Result result = FileUploadValidator.validate(
     "photo.jpg", "image/jpeg", tempFile.length(), tempFile);

 if (!result.isValid()) {
     showError(result.getMessage());
     return;
 }
 

Since:

2.1

Version:

1.0

Author:

Marvin P. Warble Jr.

See Also:

• FileUploadConfig

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	FileUploadValidator.Result	Result of a file upload validation check.

Method Summary

Modifier and Type	Method	Description
static FileUploadConfig	getConfig()	Returns the current file upload configuration.
static boolean	isConfigured()	Returns whether file upload validation is configured.
static String	sanitizeFilename(String filename)	Sanitizes a filename by removing path traversal sequences and unsafe characters.
static FileUploadValidator.Result	validate(String originalFilename, String contentType, long fileSize, File file)	Validates an uploaded file against the configured policies.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

getConfig

public static FileUploadConfig getConfig()

Returns the current file upload configuration.

Returns:

the configuration, or null if not configured

isConfigured

public static boolean isConfigured()

Returns whether file upload validation is configured.

Returns:

true if a configuration has been set

validate

public static FileUploadValidator.Result validate(String originalFilename,
 String contentType,
 long fileSize,
 File file)

Validates an uploaded file against the configured policies.

If no configuration is set, all files are accepted.

Parameters:

originalFilename - the original filename from the client

contentType - the MIME content type reported by the client

fileSize - the file size in bytes

file - the local file for magic number validation (may be null to skip magic number checks)

Returns:

a FileUploadValidator.Result indicating whether the file passed validation

sanitizeFilename

public static String sanitizeFilename(String filename)

Sanitizes a filename by removing path traversal sequences and unsafe characters.

This method:

• Strips directory components (path separators)
• Removes null bytes and control characters
• Replaces sequences of dots that could enable path traversal
• Replaces unsafe characters with underscores

Parameters:

filename - the original filename to sanitize

Returns:

the sanitized filename, or "unnamed" if the result is empty