From a61818108744b573051d9a5c4163a34ff832e5d5 Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Thu, 14 Dec 2023 19:57:04 +0530
Subject: [PATCH 1/2] Add compliant and noncompliant examples of
 java/unrestricted-file-upload@v1.0

---
 .../UnrestrictedFileUpload.java               | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java

diff --git a/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java b/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java
new file mode 100644
index 0000000..2498da0
--- /dev/null
+++ b/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package detectors.unrestricted_file_upload;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.InputStream;
+import java.io.File;
+import java.util.HashMap;
+import org.springframework.util.StringUtils;
+import javax.servlet.ServletException;
+import javax.servlet.http.Part;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
+
+public class UnrestrictedFileUpload {
+
+    // {fact rule=unrestricted-file-upload@v1.0 defects=1}
+    public void unrestrictedFileUploadNoncompliant(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        Part filePart = request.getPart("fileToUpload");
+        InputStream fileInputStream = filePart.getInputStream();
+        // Noncompliant: the uploaded file can have any extension.
+        File fileToSave = new File("WebContent/uploaded-files/" + filePart.getSubmittedFileName());
+        Files.copy(fileInputStream, fileToSave.toPath(), StandardCopyOption.REPLACE_EXISTING);
+        response.getOutputStream().println("<p>File was uploaded.</p>");
+    }
+    // {/fact}
+
+    // {fact rule=unrestricted-file-upload@v1.0 defects=0}
+    public void unrestrictedFileUploadCompliant(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        Part filePart = request.getPart("fileToUpload");
+        // Compliant: the uploaded file must have one of the allowed extensions.
+        if (filePart.getSubmittedFileName().endsWith(".jpg") || filePart.getSubmittedFileName().endsWith(".png")) {
+            InputStream fileInputStream = filePart.getInputStream();
+            File fileToSave = new File("WebContent/uploaded-files/" + filePart.getSubmittedFileName());
+            Files.copy(fileInputStream, fileToSave.toPath(), StandardCopyOption.REPLACE_EXISTING);
+            response.getOutputStream().println("<p>File was uploaded.</p>");
+        }
+        else {
+            response.getOutputStream().println("<p>File was not uploaded.</p>");
+        }
+    }
+    // {/fact}
+
+}

From 27c006a4ae3ddb5bf3885c012f24c3e2cba893d2 Mon Sep 17 00:00:00 2001
From: Riya <karmakri@amazon.com>
Date: Thu, 14 Dec 2023 20:16:55 +0530
Subject: [PATCH 2/2] Add compliant and noncompliant examples of
 java/unrestricted-file-upload@v1.0

---
 .../unrestricted_file_upload/UnrestrictedFileUpload.java     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java b/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java
index 2498da0..5bb93d7 100644
--- a/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java
+++ b/src/java/detectors/unrestricted_file_upload/UnrestrictedFileUpload.java
@@ -14,13 +14,14 @@
 import javax.servlet.ServletException;
 import javax.servlet.http.Part;
 import java.io.IOException;
+import javax.servlet.ServletException;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 
 public class UnrestrictedFileUpload {
 
     // {fact rule=unrestricted-file-upload@v1.0 defects=1}
-    public void unrestrictedFileUploadNoncompliant(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    public void unrestrictedFileUploadNoncompliant(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         Part filePart = request.getPart("fileToUpload");
         InputStream fileInputStream = filePart.getInputStream();
         // Noncompliant: the uploaded file can have any extension.
@@ -31,7 +32,7 @@ public void unrestrictedFileUploadNoncompliant(HttpServletRequest request, HttpS
     // {/fact}
 
     // {fact rule=unrestricted-file-upload@v1.0 defects=0}
-    public void unrestrictedFileUploadCompliant(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    public void unrestrictedFileUploadCompliant(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         Part filePart = request.getPart("fileToUpload");
         // Compliant: the uploaded file must have one of the allowed extensions.
         if (filePart.getSubmittedFileName().endsWith(".jpg") || filePart.getSubmittedFileName().endsWith(".png")) {