javier/Stirling-PDF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized user-provided file names in HTTP multipart uploads

Browse Source
This commit is contained in:
pixeebot[bot]
2024-02-01 23:48:27 +00:00
parent c8481fdbef
commit c8dfe10a7c
38 changed files with 83 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertBookToPDFController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.ResponseEntity;
@@ -43,7 +44,7 @@ public class ConvertBookToPDFController {
throw new IllegalArgumentException("Please provide a file for conversion.");
}
String originalFilename = fileInput.getOriginalFilename();
String originalFilename = Filenames.toSimpleFileName(fileInput.getOriginalFilename());
if (originalFilename != null) {
String originalFilenameLower = originalFilename.toLowerCase();

3
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertHtmlToPDF.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.ResponseEntity;
@@ -39,7 +40,7 @@ public class ConvertHtmlToPDF {
"Please provide an HTML or ZIP file for conversion.");
}
String originalFilename = fileInput.getOriginalFilename();
String originalFilename = Filenames.toSimpleFileName(fileInput.getOriginalFilename());
if (originalFilename == null
|| (!originalFilename.endsWith(".html") && !originalFilename.endsWith(".zip"))) {
throw new IllegalArgumentException("File must be either .html or .zip format.");

3
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import java.io.IOException;
import java.net.URLConnection;
@@ -56,7 +57,7 @@ public class ConvertImgPDFController {
// returns bytes for image
boolean singleImage = singleOrMultiple.equals("single");
byte[] result = null;
String filename = file.getOriginalFilename().replaceFirst("[.][^.]+$", "");
String filename = Filenames.toSimpleFileName(file.getOriginalFilename()).replaceFirst("[.][^.]+$", "");
try {
result =
PdfUtils.convertFromPdf(

3
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertMarkdownToPdf.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import java.util.List;
import java.util.Map;
@@ -48,7 +49,7 @@ public class ConvertMarkdownToPdf {
throw new IllegalArgumentException("Please provide a Markdown file for conversion.");
}
String originalFilename = fileInput.getOriginalFilename();
String originalFilename = Filenames.toSimpleFileName(fileInput.getOriginalFilename());
if (originalFilename == null || !originalFilename.endsWith(".md")) {
throw new IllegalArgumentException("File must be in .md format.");
}

5
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertOfficeController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
@@ -31,7 +32,7 @@ public class ConvertOfficeController {
public byte[] convertToPdf(MultipartFile inputFile) throws IOException, InterruptedException {
// Check for valid file extension
String originalFilename = inputFile.getOriginalFilename();
String originalFilename = Filenames.toSimpleFileName(inputFile.getOriginalFilename());
if (originalFilename == null
|| !isValidFileExtension(FilenameUtils.getExtension(originalFilename))) {
throw new IllegalArgumentException("Invalid file extension");
@@ -89,7 +90,7 @@ public class ConvertOfficeController {
byte[] pdfByteArray = convertToPdf(inputFile);
return WebResponseUtils.bytesToWebResponse(
pdfByteArray,
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "")
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
+ "_convertedToPDF.pdf");
}
}

3
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertPDFToBookController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
@@ -92,7 +93,7 @@ public class ConvertPDFToBookController {
}
String outputFilename =
fileInput.getOriginalFilename().replaceFirst("[.][^.]+$", "")
Filenames.toSimpleFileName(fileInput.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
+ "."
+ outputFormat; // Remove file extension and append .pdf

3
src/main/java/stirling/software/SPDF/controller/api/converters/ConvertPDFToPDFA.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.converters;
import io.github.pixee.security.Filenames;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
@@ -63,7 +64,7 @@ public class ConvertPDFToPDFA {
// Return the optimized PDF as a response
String outputFilename =
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_PDFA.pdf";
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_PDFA.pdf";
return WebResponseUtils.bytesToWebResponse(pdfBytes, outputFilename);
}
}