Merge branch 'main' into add_reviewer_bot

This commit is contained in:
Ludy 2025-07-20 16:37:49 +02:00 committed by GitHub
commit f9271eb3a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 38 additions and 5 deletions

2
.github/CODEOWNERS vendored
View File

@ -1,2 +1,2 @@
# All PRs to V1 must be approved by Frooodle
* @Frooodle @reecebrowne @Ludy87 @DarioGii @ConnorYoh
* @Frooodle @reecebrowne @Ludy87 @DarioGii @ConnorYoh @EthanHealy01

View File

@ -7,7 +7,8 @@
"sbplat",
"reecebrowne",
"DarioGii",
"ConnorYoh"
"ConnorYoh",
"EthanHealy01"
],
"repo_devs_reviewers": [
"Frooodle"

View File

@ -1,6 +1,7 @@
package stirling.software.SPDF.controller.api.converters;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLConnection;
@ -87,7 +88,7 @@ public class ConvertImgPDFController {
// returns bytes for image
boolean singleImage = "single".equals(singleOrMultiple);
String filename =
Filenames.toSimpleFileName(file.getOriginalFilename())
Filenames.toSimpleFileName(new File(file.getOriginalFilename()).getName())
.replaceFirst("[.][^.]+$", "");
result =
@ -231,7 +232,7 @@ public class ConvertImgPDFController {
PdfUtils.imageToPdf(file, fitOption, autoRotate, colorType, pdfDocumentFactory);
return WebResponseUtils.bytesToWebResponse(
bytes,
file[0].getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_converted.pdf");
new File(file[0].getOriginalFilename()).getName().replaceFirst("[.][^.]+$", "") + "_converted.pdf");
}
private String getMediaType(String imageFormat) {

View File

@ -7,6 +7,7 @@ import java.awt.print.Printable;
import java.awt.print.PrinterException;
import java.awt.print.PrinterJob;
import java.io.IOException;
import java.nio.file.Paths;
import java.util.Arrays;
import javax.imageio.ImageIO;
@ -45,6 +46,10 @@ public class PrintFileController {
public ResponseEntity<String> printFile(@ModelAttribute PrintFileRequest request)
throws IOException {
MultipartFile file = request.getFileInput();
String originalFilename = file.getOriginalFilename();
if (originalFilename != null && (originalFilename.contains("..") || Paths.get(originalFilename).isAbsolute())) {
throw new IOException("Invalid file path detected: " + originalFilename);
}
String printerName = request.getPrinterName();
String contentType = file.getContentType();
try {

View File

@ -42,6 +42,7 @@ import stirling.software.common.service.CustomPDFDocumentFactory;
import stirling.software.common.util.TempFile;
import stirling.software.common.util.TempFileManager;
import stirling.software.common.util.WebResponseUtils;
import java.lang.IllegalArgumentException;
@RestController
@RequestMapping("/api/v1/misc")
@ -62,9 +63,18 @@ public class StampController {
public ResponseEntity<byte[]> addStamp(@ModelAttribute AddStampRequest request)
throws IOException, Exception {
MultipartFile pdfFile = request.getFileInput();
String pdfFileName = pdfFile.getOriginalFilename();
if (pdfFileName.contains("..") || pdfFileName.startsWith("/")) {
throw new IllegalArgumentException("Invalid PDF file path");
}
String stampType = request.getStampType();
String stampText = request.getStampText();
MultipartFile stampImage = request.getStampImage();
String stampImageName = stampImage.getOriginalFilename();
if (stampImageName.contains("..") || stampImageName.startsWith("/")) {
throw new IllegalArgumentException("Invalid stamp image file path");
}
String alphabet = request.getAlphabet();
float fontSize = request.getFontSize();
float rotation = request.getRotation();

View File

@ -108,7 +108,9 @@ public class PipelineProcessor {
if (inputFileTypes == null) {
inputFileTypes = new ArrayList<String>(Arrays.asList("ALL"));
}
// List outputFileTypes = apiDocService.getExtensionTypes(true, operation);
if (!operation.matches("^[a-zA-Z0-9_-]+$")) {
throw new IllegalArgumentException("Invalid operation value received.");
}
String url = getBaseUrl() + operation;
List<Resource> newOutputFiles = new ArrayList<>();
if (!isMultiInputOperation) {
@ -327,6 +329,10 @@ public class PipelineProcessor {
}
List<Resource> outputFiles = new ArrayList<>();
for (File file : files) {
Path normalizedPath = Paths.get(file.getName()).normalize();
if (normalizedPath.startsWith("..")) {
throw new SecurityException("Potential path traversal attempt in file name: " + file.getName());
}
Path path = Paths.get(file.getAbsolutePath());
// debug statement
log.info("Reading file: " + path);

View File

@ -74,9 +74,19 @@ public class WatermarkController {
public ResponseEntity<byte[]> addWatermark(@ModelAttribute AddWatermarkRequest request)
throws IOException, Exception {
MultipartFile pdfFile = request.getFileInput();
String pdfFileName = pdfFile.getOriginalFilename();
if (pdfFileName != null && (pdfFileName.contains("..") || pdfFileName.startsWith("/"))) {
throw new SecurityException("Invalid file path in pdfFile");
}
String watermarkType = request.getWatermarkType();
String watermarkText = request.getWatermarkText();
MultipartFile watermarkImage = request.getWatermarkImage();
if (watermarkImage != null) {
String watermarkImageFileName = watermarkImage.getOriginalFilename();
if (watermarkImageFileName != null && (watermarkImageFileName.contains("..") || watermarkImageFileName.startsWith("/"))) {
throw new SecurityException("Invalid file path in watermarkImage");
}
}
String alphabet = request.getAlphabet();
float fontSize = request.getFontSize();
float rotation = request.getRotation();