public class

HostileAttachmentsHelper

extends Object
implements Serializable
java.lang.Object
   ↳ com.atlassian.jira.web.util.HostileAttachmentsHelper

Class Overview

A tool for loading and encapsulating the local policy for which MIME Content Types and file extensions may contain active executable client-side content and which therefore should be treated carefully to avoid XSS attacks via uploading these files as attachments.

Browsers use Content-Type headers and file extensions to decide whether to attempt to execute a file in a client context. Examples include javascript in html and ActionScript in .swf (Flash) binaries. Since these runtimes have access to the client-side state of the browser, they represent a potential means to steal session cookie contents and other XSS attacks.

Summary

Constants
String DELIMITER_REGEX File extensions and content types in the config file are parsed from a list of items delimited by this regex.
Public Constructors
HostileAttachmentsHelper()
Public Methods
boolean isExecutableContentType(String contentType)
Determines if the given String is a MIME Content Type denoting client-executable active content such that if the browser opens the file, its execution could have access to the browser DOM etc.
boolean isExecutableFileExtension(String name)
Determines if the given String has an extension denoting a client-executable active content type such that if the browser opens the file, its execution could have access to the browser DOM etc.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final String DELIMITER_REGEX

File extensions and content types in the config file are parsed from a list of items delimited by this regex.

Constant Value: "\s+"

Public Constructors

public HostileAttachmentsHelper ()

Public Methods

public boolean isExecutableContentType (String contentType)

Determines if the given String is a MIME Content Type denoting client-executable active content such that if the browser opens the file, its execution could have access to the browser DOM etc. E.g. text/html Note the check is case insensitive.

Parameters
contentType the MIME Content Type string.
Returns
  • true only if the given contentType is one of the configured executable Content Types.

public boolean isExecutableFileExtension (String name)

Determines if the given String has an extension denoting a client-executable active content type such that if the browser opens the file, its execution could have access to the browser DOM etc. Examples include .html, .svg and .swf. Note the check is case insensitive.

Parameters
name the file name.
Returns
  • true only if the name has one of the configured extensions.