Hardening suggestions for Stirling-PDF / fix-sig-logo (#2144 )

Modernize and secure temp file creation Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
fix signature logo not loading and add option to disable it
2024-10-31 16:17:23 -04:00 · 2024-10-31 16:06:36 -04:00 · 2024-10-31 17:46:30 +00:00 · 2024-10-31 17:45:44 +00:00 · 2024-10-31 14:52:41 +00:00 · 2024-10-31 13:06:55 +00:00
12 changed files with 87 additions and 29 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -8,6 +8,7 @@ Closes #(issue_number)

 - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
 - [ ] I have performed a self-review of my own code
+- [ ] I have attached images of the change if it is UI based
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] My changes generate no new warnings
 - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only)
--- a/README.md
+++ b/README.md
@@ -280,14 +280,44 @@ security:
    useAsUsername: email # Default is 'email'; custom fields can be used as the username
    scopes: openid, profile, email # Specify the scopes for which the application will request permissions
    provider: google # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
+  saml2: 
+    enabled: false # Currently in alpha, not recommended for use yet, enableAlphaFunctionality must be set to true
+    autoCreateUser: false # set to 'true' to allow auto-creation of non-existing users
+    blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin
+    registrationId: stirling
+    idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata
+    idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml
+    idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml
+    idpIssuer: http://www.okta.com/externalKey
+    idpCert: classpath:octa.crt
+    privateKey: classpath:saml-private-key.key
+    spCert: classpath:saml-public-cert.crt
+
+enterpriseEdition:
+  enabled: false # set to 'true' to enable enterprise edition
+  key: 00000000-0000-0000-0000-000000000000
+  CustomMetadata:
+    autoUpdateMetadata: false # set to 'true' to automatically update metadata with below values
+    author: username # Supports text such as 'John Doe' or types such as username to autopopulate with users username
+    creator: Stirling-PDF # Supports text such as 'Company-PDF'
+    producer: Stirling-PDF # Supports text such as 'Company-PDF'
+
+legal:
+  termsAndConditions: https://www.stirlingpdf.com/terms-and-conditions # URL to the terms and conditions of your application (e.g. https://example.com/terms) Empty string to disable or filename to load from local file in static folder
+  privacyPolicy: https://www.stirlingpdf.com/privacy-policy # URL to the privacy policy of your application (e.g. https://example.com/privacy) Empty string to disable or filename to load from local file in static folder
+  accessibilityStatement: '' # URL to the accessibility statement of your application (e.g. https://example.com/accessibility) Empty string to disable or filename to load from local file in static folder
+  cookiePolicy: '' # URL to the cookie policy of your application (e.g. https://example.com/cookie) Empty string to disable or filename to load from local file in static folder
+  impressum: '' # URL to the impressum of your application (e.g. https://example.com/impressum) Empty string to disable or filename to load from local file in static folder

 system:
-  defaultLocale: 'en-US' # Set the default language (e.g. 'de-DE', 'fr-FR', etc)
+  defaultLocale: en-US # Set the default language (e.g. 'de-DE', 'fr-FR', etc)
  googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow
  enableAlphaFunctionality: false # Set to enable functionality which might need more testing before it fully goes live (This feature might make no changes)
-  showUpdate: true # see when a new update is available
+  showUpdate: false # see when a new update is available
  showUpdateOnlyAdmin: false # Only admins can see when a new update is available, depending on showUpdate it must be set to 'true'
  customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template html files
+  tessdataDir: /usr/share/tessdata # Path to the directory containing the Tessdata files. This setting is relevant for Windows systems. For Windows users, this path should be adjusted to point to the appropriate directory where the Tessdata files are stored.
+  enableAnalytics: undefined # Set to 'true' to enable analytics, set to 'false' to disable analytics, for enterprise users this is set to true

 ui:
  appName: '' # Application's visible name
@@ -300,6 +330,11 @@ endpoints:

 metrics:
  enabled: true # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable
+
+# Automatically Generated Settings (Do Not Edit Directly)
+AutomaticallyGenerated:
+  key: example
+  UUID: example
 ```

 There is an additional config file ``/configs/custom_settings.yml`` were users familiar with java and spring application.properties can input their own settings on-top of Stirling-PDFs existing ones
--- a/build.gradle
+++ b/build.gradle
@@ -22,7 +22,7 @@ ext {
 }

 group = "stirling.software"
-version = "0.31.0"
+version = "0.31.1"

 java {
    // 17 is lowest but we support and recommend 21
--- a/chart/stirling-pdf/Chart.yaml
+++ b/chart/stirling-pdf/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.31.0
+appVersion: 0.31.1
 description: locally hosted web application that allows you to perform various operations
  on PDF files
 home: https://github.com/Stirling-Tools/Stirling-PDF
@@ -13,4 +13,4 @@ maintainers:
 name: stirling-pdf-chart
 sources:
 - https://github.com/Stirling-Tools/Stirling-PDF
-version: 1.0.0
+version: 1.0.1
--- a/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
@@ -8,6 +8,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
@@ -21,6 +22,7 @@ import java.security.cert.X509Certificate;
 import java.util.Calendar;
 import java.util.List;

+import org.apache.commons.io.FileUtils;
 import org.apache.pdfbox.examples.signature.CreateSignatureBase;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.pdmodel.PDPage;
@@ -92,7 +94,7 @@ public class CertSignController {
    }

    class CreateSignature extends CreateSignatureBase {
-        File imageFile;
+        File logoFile;

        public CreateSignature(KeyStore keystore, char[] pin)
                throws KeyStoreException,
@@ -102,11 +104,17 @@ public class CertSignController {
                        CertificateException {
            super(keystore, pin);
            ClassPathResource resource = new ClassPathResource("static/images/signature.png");
-            imageFile = resource.getFile();
+            try (InputStream is = resource.getInputStream()) {
+                logoFile = Files.createTempFile("signature", ".png").toFile();
+                FileUtils.copyInputStreamToFile(is, logoFile);
+            } catch (IOException e) {
+                logger.error("Failed to load image signature file");
+                throw e;
+            }
        }

        public InputStream createVisibleSignature(
-                PDDocument srcDoc, PDSignature signature, Integer pageNumber, Boolean showImage)
+                PDDocument srcDoc, PDSignature signature, Integer pageNumber, Boolean showLogo)
                throws IOException {
            // modified from org.apache.pdfbox.examples.signature.CreateVisibleSignature2
            try (PDDocument doc = new PDDocument()) {
@@ -145,7 +153,7 @@ public class CertSignController {
                widget.setAppearance(appearance);

                try (PDPageContentStream cs = new PDPageContentStream(doc, appearanceStream)) {
-                    if (showImage) {
+                    if (showLogo) {
                        cs.saveGraphicsState();
                        PDExtendedGraphicsState extState = new PDExtendedGraphicsState();
                        extState.setBlendMode(BlendMode.MULTIPLY);
@@ -153,7 +161,7 @@ public class CertSignController {
                        cs.setGraphicsStateParameters(extState);
                        cs.transform(Matrix.getScaleInstance(0.08f, 0.08f));
                        PDImageXObject img =
-                                PDImageXObject.createFromFileByExtension(imageFile, doc);
+                                PDImageXObject.createFromFileByExtension(logoFile, doc);
                        cs.drawImage(img, 100, 0);
                        cs.restoreGraphicsState();
                    }
@@ -219,6 +227,7 @@ public class CertSignController {
        String location = request.getLocation();
        String name = request.getName();
        Integer pageNumber = request.getPageNumber() - 1;
+        Boolean showLogo = request.isShowLogo();

        if (certType == null) {
            throw new IllegalArgumentException("Cert type must be provided");
@@ -258,7 +267,8 @@ public class CertSignController {
                pageNumber,
                name,
                location,
-                reason);
+                reason,
+                showLogo);
        return WebResponseUtils.boasToWebResponse(
                baos,
                Filenames.toSimpleFileName(pdf.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
@@ -274,7 +284,8 @@ public class CertSignController {
            Integer pageNumber,
            String name,
            String location,
-            String reason) {
+            String reason,
+            Boolean showLogo) {
        try (PDDocument doc = pdfDocumentFactory.load(input)) {
            PDSignature signature = new PDSignature();
            signature.setFilter(PDSignature.FILTER_ADOBE_PPKLITE);
@@ -287,7 +298,7 @@ public class CertSignController {
            if (showSignature) {
                SignatureOptions signatureOptions = new SignatureOptions();
                signatureOptions.setVisualSignature(
-                        instance.createVisibleSignature(doc, signature, pageNumber, true));
+                        instance.createVisibleSignature(doc, signature, pageNumber, showLogo));
                signatureOptions.setPage(pageNumber);

                doc.addSignature(signature, instance, signatureOptions);
--- a/src/main/java/stirling/software/SPDF/model/api/security/SignPDFWithCertRequest.java
+++ b/src/main/java/stirling/software/SPDF/model/api/security/SignPDFWithCertRequest.java
@@ -50,4 +50,7 @@ public class SignPDFWithCertRequest extends PDFFile {
            description =
                    "The page number where the signature should be visible. This is required if showSignature is set to true")
    private Integer pageNumber;
+
+    @Schema(description = "Whether to visually show a signature logo along with the signature")
+    private boolean showLogo;
 }
--- a/src/main/resources/messages_en_GB.properties
+++ b/src/main/resources/messages_en_GB.properties
@@ -750,6 +750,7 @@ certSign.showSig=Show Signature
 certSign.reason=Reason
 certSign.location=Location
 certSign.name=Name
+certSign.showLogo=Show Logo
 certSign.submit=Sign PDF


--- a/src/main/resources/messages_en_US.properties
+++ b/src/main/resources/messages_en_US.properties
@@ -750,6 +750,7 @@ certSign.showSig=Show Signature
 certSign.reason=Reason
 certSign.location=Location
 certSign.name=Name
+certSign.showLogo=Show Logo
 certSign.submit=Sign PDF


--- a/src/main/resources/messages_it_IT.properties
+++ b/src/main/resources/messages_it_IT.properties
@@ -79,8 +79,8 @@ info=Info
 pro=Pro
 page=Pagina
 pages=Pagine
-loading=Loading...
-addToDoc=Add to Document
+loading=Caricamento...
+addToDoc=Aggiungi al documento

 legal.privacy=Informativa sulla privacy
 legal.terms=Termini e Condizioni
@@ -784,9 +784,9 @@ compare.highlightColor.2=Evidenzia colore 2:
 compare.document.1=Documento 1
 compare.document.2=Documento 2
 compare.submit=Compara
-compare.complex.message=One or both of the provided documents are large files, accuracy of comparison may be reduced
-compare.large.file.message=One or Both of the provided documents are too large to process
-compare.no.text.message=One or both of the selected PDFs have no text content. Please choose PDFs with text for comparison.
+compare.complex.message=Uno o entrambi i documenti forniti sono file di grandi dimensioni, l'accuratezza del confronto potrebbe risultare ridotta
+compare.large.file.message=Uno o entrambi i documenti forniti sono troppo grandi per essere elaborati
+compare.no.text.message=Uno o entrambi i PDF selezionati non hanno contenuto di testo. Si prega di scegliere PDF con testo per il confronto.

 #BookToPDF
 BookToPDF.title=Libri e fumetti in PDF
@@ -809,11 +809,11 @@ sign.draw=Disegna Firma
 sign.text=Testo
 sign.clear=Cancella
 sign.add=Aggiungi
-sign.saved=Saved Signatures
-sign.save=Save Signature
-sign.personalSigs=Personal Signatures
-sign.sharedSigs=Shared Signatures
-sign.noSavedSigs=No saved signatures found
+sign.saved=Firme salvate
+sign.save=Firma salvata
+sign.personalSigs=Firme personali
+sign.sharedSigs=Firme condivise
+sign.noSavedSigs=Nessuna firma salvata trovata


 #repair
--- a/src/main/resources/static/css/navbar.css
+++ b/src/main/resources/static/css/navbar.css
@@ -329,11 +329,14 @@ span.icon-text::after {
  }
 }

- .go-pro-link {
+.go-pro-link {
   position: relative;
   padding: 0.5rem 1rem;
   transition: all 0.3s ease;
- }
+   z-index: 1;
+   display: inline-block;
+   width: auto;
+}

 .go-pro-badge {
  display: inline-block;
@@ -350,4 +353,4 @@ span.icon-text::after {
 .go-pro-link:hover .go-pro-badge {
  background-color: #0056b3;
  box-shadow: 0 2px 4px rgba(0, 0, 0, 0.2);
-}
+}
--- a/src/main/resources/templates/misc/compress-pdf.html
+++ b/src/main/resources/templates/misc/compress-pdf.html
@@ -20,7 +20,6 @@
              <span class="tool-header-text" th:text="#{compress.header}"></span>
            </div>
            <form action="#" th:action="@{'/api/v1/misc/compress-pdf'}" method="post" enctype="multipart/form-data">
-             <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
              <div
                th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}">
              </div>
@@ -53,4 +52,4 @@
  </div>
 </body>

-</html>
+</html>
--- a/src/main/resources/templates/security/cert-sign.html
+++ b/src/main/resources/templates/security/cert-sign.html
@@ -71,7 +71,11 @@
                    <label for="name" th:text="#{certSign.name}"></label> <input type="text" class="form-control" id="name" name="name">
                  </div>
                  <div class="mb-3">
-                    <label for="pageNumber" th:text="#{pageNum}"></label> <input type="number" class="form-control" id="pageNumber" name="pageNumber" min="1">
+                    <label for="pageNumber" th:text="#{pageNum}"></label> <input type="number" class="form-control" id="pageNumber" name="pageNumber" min="1" value="1">
+                  </div>
+                  <div class="form-check mb-3">
+                    <input type="checkbox" id="showLogo" name="showLogo" checked />
+                    <label th:text="#{certSign.showLogo}" for="showLogo"></label>
                  </div>
                </div>
                <div class="mb-3 text-left">
Author	SHA1	Message	Date
pixeebot[bot]	b094634799	Hardening suggestions for Stirling-PDF / fix-sig-logo (#2144 ) Modernize and secure temp file creation Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>	2024-10-31 16:17:23 -04:00
sbplat	9e597a4390	fix signature logo not loading and add option to disable it	2024-10-31 16:06:36 -04:00
Anthony Stirling	febc3cf48b	Update pull_request_template.md	2024-10-31 17:46:30 +00:00
Philip H.	c5abb47403	navbar.css: prevent overlapping of elements (#2140 ) go-pro-link is overlapping the settings button	2024-10-31 17:45:44 +00:00
Anthony Stirling	0e3c9bcc10	Update README.md	2024-10-31 14:52:41 +00:00
github-actions[bot]	384c3ee88f	💾 Update Version (#2139 ) 💾 Sync Versions > Made via sync_files.yml Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2024-10-31 13:06:55 +00:00
Anthony Stirling	5f7a0537f9	Update build.gradle	2024-10-31 13:06:12 +00:00
Anthony Stirling	5aa5628465	[bug fix] Update compress-pdf.html (#2138 ) Update compress-pdf.html	2024-10-31 10:59:51 +00:00
albanobattistella	0d91bca932	Update messages_it_IT.properties (#2135 )	2024-10-30 19:55:54 +00:00