WeakFilenameUtils.java

package testcode;

import static org.apache.commons.io.FilenameUtils.*;

import java.io.File;
import java.io.IOException;

public class WeakFilenameUtils {

    public static void main(String[] args) throws IOException {
        String maliciousPath = "/test%00/././../../././secret/note.cfg\u0000dummy.jpg";

        testPath(maliciousPath);
    }

    private static void testPath(String maliciousPath) throws IOException {
        String path = normalize(maliciousPath);
        System.out.println("Expected:" + path + " -> Actual:" + canonical(path));

        String extension = getExtension(maliciousPath);
        System.out.println("Expected:" + extension + " -> Actual:" + getExtension(canonical(path)));

        boolean isExtension = isExtension(maliciousPath, "jpg");
        System.out.println("Expected:" + isExtension + " -> Actual:" + isExtension(canonical(path), "jpg"));

        String name = getName(maliciousPath);
        System.out.println("Expected:" + name + " -> Actual:" + getName(canonical(name)));

        String baseName = getBaseName(maliciousPath);
        System.out.println("Expected:" + baseName + " -> Actual:" + getBaseName(canonical(baseName)));
    }

    private static String canonical(String path) throws IOException {
        return new File(path).getCanonicalPath();
    }
}