javier/Stirling-PDF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized user-provided file names in HTTP multipart uploads

Browse Source
This commit is contained in:
pixeebot[bot]
2024-02-01 23:48:27 +00:00
parent c8481fdbef
commit c8dfe10a7c
38 changed files with 83 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/stirling/software/SPDF/controller/api/misc/AutoRenameController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Comparator;
@@ -133,7 +134,7 @@ public class AutoRenameController {
return WebResponseUtils.pdfDocToWebResponse(document, header + ".pdf");
} else {
logger.info("File has no good title to be found");
return WebResponseUtils.pdfDocToWebResponse(document, file.getOriginalFilename());
return WebResponseUtils.pdfDocToWebResponse(document, Filenames.toSimpleFileName(file.getOriginalFilename()));
}
}
}

3
src/main/java/stirling/software/SPDF/controller/api/misc/AutoSplitPdfController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.DataBufferInt;
@@ -97,7 +98,7 @@ public class AutoSplitPdfController {
document.close();
Path zipFile = Files.createTempFile("split_documents", ".zip");
String filename = file.getOriginalFilename().replaceFirst("[.][^.]+$", "");
String filename = Filenames.toSimpleFileName(file.getOriginalFilename()).replaceFirst("[.][^.]+$", "");
byte[] data;
try (ZipOutputStream zipOut = new ZipOutputStream(Files.newOutputStream(zipFile))) {

3
src/main/java/stirling/software/SPDF/controller/api/misc/BlankPageController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.awt.image.BufferedImage;
import java.io.IOException;
import java.nio.file.Files;
@@ -131,7 +132,7 @@ public class BlankPageController {
return WebResponseUtils.pdfDocToWebResponse(
document,
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "")
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
+ "_blanksRemoved.pdf");
} catch (IOException e) {
e.printStackTrace();

3
src/main/java/stirling/software/SPDF/controller/api/misc/CompressController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.awt.Image;
import java.awt.image.BufferedImage;
import java.io.ByteArrayInputStream;
@@ -264,7 +265,7 @@ public class CompressController {
// Return the optimized PDF as a response
String outputFilename =
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_Optimized.pdf";
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_Optimized.pdf";
return WebResponseUtils.bytesToWebResponse(pdfBytes, outputFilename);
}
}

3
src/main/java/stirling/software/SPDF/controller/api/misc/ExtractImagesController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.awt.Graphics2D;
import java.awt.Image;
import java.awt.image.BufferedImage;
@@ -66,7 +67,7 @@ public class ExtractImagesController {
zos.setLevel(Deflater.BEST_COMPRESSION);
int imageIndex = 1;
String filename = file.getOriginalFilename().replaceFirst("[.][^.]+$", "");
String filename = Filenames.toSimpleFileName(file.getOriginalFilename()).replaceFirst("[.][^.]+$", "");
int pageNum = 0;
Set<Integer> processedImages = new HashSet<>();
// Iterate over each page

3
src/main/java/stirling/software/SPDF/controller/api/misc/FakeScanControllerWIP.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.awt.Color;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
@@ -141,7 +142,7 @@ public class FakeScanControllerWIP {
// Return the optimized PDF as a response
String outputFilename =
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_scanned.pdf";
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_scanned.pdf";
return WebResponseUtils.boasToWebResponse(baos, outputFilename);
}
}

3
src/main/java/stirling/software/SPDF/controller/api/misc/MetadataController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.io.IOException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
@@ -164,6 +165,6 @@ public class MetadataController {
document.setDocumentInformation(info);
return WebResponseUtils.pdfDocToWebResponse(
document,
pdfFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_metadata.pdf");
Filenames.toSimpleFileName(pdfFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_metadata.pdf");
}
}

5
src/main/java/stirling/software/SPDF/controller/api/misc/OCRController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
@@ -182,12 +183,12 @@ public class OCRController {
// Return the OCR processed PDF as a response
String outputFilename =
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_OCR.pdf";
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_OCR.pdf";
if (sidecar != null && sidecar) {
// Create a zip file containing both the PDF and the text file
String outputZipFilename =
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_OCR.zip";
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_OCR.zip";
Path tempZipFile = Files.createTempFile("output_", ".zip");
try (ZipOutputStream zipOut =

3
src/main/java/stirling/software/SPDF/controller/api/misc/OverlayImageController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.io.IOException;
import org.slf4j.Logger;
@@ -44,7 +45,7 @@ public class OverlayImageController {
return WebResponseUtils.bytesToWebResponse(
result,
pdfFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_overlayed.pdf");
Filenames.toSimpleFileName(pdfFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_overlayed.pdf");
} catch (IOException e) {
logger.error("Failed to add image to PDF", e);
return new ResponseEntity<>(HttpStatus.BAD_REQUEST);

5
src/main/java/stirling/software/SPDF/controller/api/misc/PageNumbersController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.List;
@@ -93,7 +94,7 @@ public class PageNumbersController {
.replace("{total}", String.valueOf(document.getNumberOfPages()))
.replace(
"{filename}",
file.getOriginalFilename()
Filenames.toSimpleFileName(file.getOriginalFilename())
.replaceFirst("[.][^.]+$", ""))
: String.valueOf(pageNumber);
@@ -145,7 +146,7 @@ public class PageNumbersController {
return WebResponseUtils.bytesToWebResponse(
baos.toByteArray(),
file.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_numbersAdded.pdf",
Filenames.toSimpleFileName(file.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_numbersAdded.pdf",
MediaType.APPLICATION_PDF);
}
}

3
src/main/java/stirling/software/SPDF/controller/api/misc/RepairController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
@@ -65,7 +66,7 @@ public class RepairController {
// Return the optimized PDF as a response
String outputFilename =
inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_repaired.pdf";
Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_repaired.pdf";
return WebResponseUtils.bytesToWebResponse(pdfBytes, outputFilename);
}
}

3
src/main/java/stirling/software/SPDF/controller/api/misc/ShowJavascript.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.nio.charset.StandardCharsets;
import java.util.Map;
@@ -54,7 +55,7 @@ public class ShowJavascript {
script +=
"// File: "
+ inputFile.getOriginalFilename()
+ Filenames.toSimpleFileName(inputFile.getOriginalFilename())
+ ", Script: "
+ name
+ "\n"

3
src/main/java/stirling/software/SPDF/controller/api/misc/StampController.java
View File

@@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.misc;
import io.github.pixee.security.Filenames;
import java.awt.Color;
import java.awt.image.BufferedImage;
import java.io.File;
@@ -127,7 +128,7 @@ public class StampController {
return WebResponseUtils.pdfDocToWebResponse(
document,
pdfFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_watermarked.pdf");
Filenames.toSimpleFileName(pdfFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_watermarked.pdf");
}
private void addTextStamp(