From f76e7db26fb5a7fe3f62addf628febe0e3b298b5 Mon Sep 17 00:00:00 2001
From: seonghobae <8172694+seonghobae@users.noreply.github.com>
Date: Mon, 29 Jun 2026 04:58:32 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Nu?=
=?UTF-8?q?ll-byte=20=EB=B0=94=EC=9D=B4=ED=8C=A8=EC=8A=A4=20=EC=B7=A8?=
=?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.jules/sentinel.md | 4 +++
pom.xml | 19 +++++++++++
.../DefaultDocumentValidationService.java | 5 +++
.../DefaultDocumentValidationServiceTest.java | 32 +++++++++++++++++++
4 files changed, 60 insertions(+)
create mode 100644 .jules/sentinel.md
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..ecc9f2c
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-06-26 - [Null Byte Bypass in File Extension Validation]
+**Vulnerability:** File extension validation was vulnerable to null byte injection (e.g. `file.hwp\u0000`).
+**Learning:** `String.strip()` does not remove null characters, leaving them at the end of the extracted extension, bypassing exact match checks in sets (like `blockedExtensions.contains(extension)`).
+**Prevention:** Always explicitly remove or reject null bytes (`\u0000`) before performing file extension extraction or validation, as many string normalization functions only target whitespace.
diff --git a/pom.xml b/pom.xml
index 6b7e40d..a5f3cb2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -89,6 +89,25 @@
@{argLine} -Xshare:off -XX:+EnableDynamicAgentLoading --enable-native-access=ALL-UNNAMED
+
+ org.jacoco
+ jacoco-maven-plugin
+ 0.8.12
+
+
+
+ prepare-agent
+
+
+
+ report
+ test
+
+ report
+
+
+
+
org.springframework.boot
spring-boot-maven-plugin
diff --git a/src/main/java/com/clearfolio/viewer/service/DefaultDocumentValidationService.java b/src/main/java/com/clearfolio/viewer/service/DefaultDocumentValidationService.java
index b898f7a..b753202 100644
--- a/src/main/java/com/clearfolio/viewer/service/DefaultDocumentValidationService.java
+++ b/src/main/java/com/clearfolio/viewer/service/DefaultDocumentValidationService.java
@@ -55,6 +55,11 @@ public void validateOrThrow(MultipartFile file, PolicyOverrideRequest overrideRe
}
String fileName = file.getOriginalFilename();
+ if (fileName != null && fileName.indexOf('\u0000') != -1) {
+ throw new IllegalArgumentException(
+ "File name contains invalid characters.");
+ }
+
String extension = extensionOf(fileName);
if (extension.isEmpty()) {
throw new IllegalArgumentException("File extension is required.");
diff --git a/src/test/java/com/clearfolio/viewer/service/DefaultDocumentValidationServiceTest.java b/src/test/java/com/clearfolio/viewer/service/DefaultDocumentValidationServiceTest.java
index dc1df79..5b27067 100644
--- a/src/test/java/com/clearfolio/viewer/service/DefaultDocumentValidationServiceTest.java
+++ b/src/test/java/com/clearfolio/viewer/service/DefaultDocumentValidationServiceTest.java
@@ -38,6 +38,38 @@ void rejectsHwpAndHwpxByDefault() {
assertEquals("hwp", ex.getExtension());
}
+ @Test
+ void rejectsFilenameWithNullByteBypass() {
+ ConversionProperties conversionProperties = new ConversionProperties();
+ conversionProperties.setBlockedExtensions(Set.of("hwp", "hwpx"));
+ DefaultDocumentValidationService validationService = new DefaultDocumentValidationService(conversionProperties);
+
+ IllegalArgumentException ex = assertThrows(
+ IllegalArgumentException.class,
+ () -> validationService.validateOrThrow(
+ new MockMultipartFile("file", "contract.hwp\u0000", "application/octet-stream", new byte[] {1})
+ )
+ );
+
+ assertEquals("File name contains invalid characters.", ex.getMessage());
+ }
+
+ @Test
+ void rejectsFilenameWithNullByteTruncationAttack() {
+ ConversionProperties conversionProperties = new ConversionProperties();
+ conversionProperties.setBlockedExtensions(Set.of("hwp", "hwpx"));
+ DefaultDocumentValidationService validationService = new DefaultDocumentValidationService(conversionProperties);
+
+ IllegalArgumentException ex = assertThrows(
+ IllegalArgumentException.class,
+ () -> validationService.validateOrThrow(
+ new MockMultipartFile("file", "malicious.sh\u0000.pdf", "application/pdf", new byte[] {1})
+ )
+ );
+
+ assertEquals("File name contains invalid characters.", ex.getMessage());
+ }
+
@Test
void allowsBlockedExtensionWhenOverrideHeadersAreValid() {
ConversionProperties conversionProperties = new ConversionProperties();