Header Manipulation issue with HP Fortify in HTTP response [java]

Question

I'm trying to fix a "Header Manipulation" issue returned bu HP Fortify Scan for this code. I don't know if files are already validated during upload (I think not). I tried to use a RegEx to validate filename with no success. Anyone can help me?

b = uploadedFiles.getFilecontent().getBytes(1,
                        uploadedFiles.getFilesize().intValue());
                if (b != null) {
                    response.reset();
                    String fileName = uploadedFiles.getFilename();
                    String header = "attachment; filename=\"" + fileName + "\"";
                    String contentType = uploadedFiles.getFilecontenttype();
                    response.setContentType(uploadedFiles.getFilecontenttype());
                    response.addHeader("Content-Transfer-Encoding", "Binary");
                    response.addHeader("Cache-Control", "must-revalidate, private");
                    response.setContentLength(b.length);
                    FileCopyUtils.copy(b, response.getOutputStream());
                    response.getOutputStream().flush();
                    response.getOutputStream().close();
                }

What I tried:

String fileName = uploadedFiles.getFilename();
String regex = "[a-zA-Z._ ]*";
if (b != null && fileName.matches(regex)) {
                response.reset();
                // String fileName = uploadedFiles.getFilename();
                String header = "attachment; filename=\"" + fileName + "\"";
                String contentType = uploadedFiles.getFilecontenttype();
                response.setContentType(uploadedFiles.getFilecontenttype());
                response.addHeader("Content-Transfer-Encoding", "Binary");
                response.addHeader("Cache-Control", "must-revalidate, private");            
                response.setHeader("Content-Disposition", header);
                response.setContentLength(b.length);
                FileCopyUtils.copy(b, response.getOutputStream());
                response.getOutputStream().flush();
                response.getOutputStream().close();
            }

Answer 1

You should use a method to filter the sensitive info in

response.setHeader("Content-Disposition", header)

Just using

fileName.matches(regex) 

is too simple.

Answer 2

String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());

First of all, you could fix a redundancy here. Secondly, the problem may come from the fact that you don't try to validate content-type. What if the content-type had been altered and didn't match the file really is ? Each user input should be sanitized and/or compared to a white list of contents that you actually expect.

EDIT : idem for the filename. Sanitize this field

Answer 3

You can use this method to validate headers value in this case filename

//Header manipulation 

public static String validateHeaders(String header) throws UnsupportedEncodingException{

String filename = new String(header.getBytes("UTF-8"), "ISO-8859-1");
String regex = "[`~!@#$%^&*()\\+\\=\\{}|:\"?><\\/r\\/n]";
Pattern pa = Pattern.compile(regex);
Matcher ma = pa.matcher(filename);
if(ma.find()){
    filename = ma.replaceAll("");
}
   return filename;
}     

String header = "attachment; filename="" + validateHeaders(fileName) + """;