Merge branch 'main' into add_reviewer_bot

2025-08-02 13:48:15 +02:00 · 2025-07-20 16:37:49 +02:00 · 2025-07-20 16:37:49 +02:00 · f9271eb3a3
commit f9271eb3a3
parent 788aff63a8 64d8ef4a39
7 changed files with 38 additions and 5 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1,2 +1,2 @@
 # All PRs to V1 must be approved by Frooodle
-* @Frooodle @reecebrowne @Ludy87 @DarioGii @ConnorYoh
+* @Frooodle @reecebrowne @Ludy87 @DarioGii @ConnorYoh @EthanHealy01
--- a/.github/config/repo_devs.json
+++ b/.github/config/repo_devs.json
@ -7,7 +7,8 @@
    "sbplat",
    "reecebrowne",
    "DarioGii",
-    "ConnorYoh"
+    "ConnorYoh",
+    "EthanHealy01"
  ],
  "repo_devs_reviewers": [
    "Frooodle"
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java
@ -1,6 +1,7 @@
 package stirling.software.SPDF.controller.api.converters;

 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.URLConnection;
@ -87,7 +88,7 @@ public class ConvertImgPDFController {
            // returns bytes for image
            boolean singleImage = "single".equals(singleOrMultiple);
            String filename =
-                    Filenames.toSimpleFileName(file.getOriginalFilename())
+                    Filenames.toSimpleFileName(new File(file.getOriginalFilename()).getName())
                            .replaceFirst("[.][^.]+$", "");

            result =
@ -231,7 +232,7 @@ public class ConvertImgPDFController {
                PdfUtils.imageToPdf(file, fitOption, autoRotate, colorType, pdfDocumentFactory);
        return WebResponseUtils.bytesToWebResponse(
                bytes,
-                file[0].getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_converted.pdf");
+                new File(file[0].getOriginalFilename()).getName().replaceFirst("[.][^.]+$", "") + "_converted.pdf");
    }

    private String getMediaType(String imageFormat) {
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/misc/PrintFileController.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/misc/PrintFileController.java
@ -7,6 +7,7 @@ import java.awt.print.Printable;
 import java.awt.print.PrinterException;
 import java.awt.print.PrinterJob;
 import java.io.IOException;
+import java.nio.file.Paths;
 import java.util.Arrays;

 import javax.imageio.ImageIO;
@ -45,6 +46,10 @@ public class PrintFileController {
    public ResponseEntity<String> printFile(@ModelAttribute PrintFileRequest request)
            throws IOException {
        MultipartFile file = request.getFileInput();
+        String originalFilename = file.getOriginalFilename();
+        if (originalFilename != null && (originalFilename.contains("..") || Paths.get(originalFilename).isAbsolute())) {
+            throw new IOException("Invalid file path detected: " + originalFilename);
+        }
        String printerName = request.getPrinterName();
        String contentType = file.getContentType();
        try {
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/misc/StampController.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/misc/StampController.java
@ -42,6 +42,7 @@ import stirling.software.common.service.CustomPDFDocumentFactory;
 import stirling.software.common.util.TempFile;
 import stirling.software.common.util.TempFileManager;
 import stirling.software.common.util.WebResponseUtils;
+import java.lang.IllegalArgumentException;

@RestController
@RequestMapping("/api/v1/misc")
@ -62,9 +63,18 @@ public class StampController {
    public ResponseEntity<byte[]> addStamp(@ModelAttribute AddStampRequest request)
            throws IOException, Exception {
        MultipartFile pdfFile = request.getFileInput();
+        String pdfFileName = pdfFile.getOriginalFilename();
+        if (pdfFileName.contains("..") || pdfFileName.startsWith("/")) {
+            throw new IllegalArgumentException("Invalid PDF file path");
+        }
+        
        String stampType = request.getStampType();
        String stampText = request.getStampText();
        MultipartFile stampImage = request.getStampImage();
+        String stampImageName = stampImage.getOriginalFilename();
+        if (stampImageName.contains("..") || stampImageName.startsWith("/")) {
+            throw new IllegalArgumentException("Invalid stamp image file path");
+        }
        String alphabet = request.getAlphabet();
        float fontSize = request.getFontSize();
        float rotation = request.getRotation();
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
@ -108,7 +108,9 @@ public class PipelineProcessor {
            if (inputFileTypes == null) {
                inputFileTypes = new ArrayList<String>(Arrays.asList("ALL"));
            }
-            // List outputFileTypes = apiDocService.getExtensionTypes(true, operation);
+            if (!operation.matches("^[a-zA-Z0-9_-]+$")) {
+                throw new IllegalArgumentException("Invalid operation value received.");
+            }
            String url = getBaseUrl() + operation;
            List<Resource> newOutputFiles = new ArrayList<>();
            if (!isMultiInputOperation) {
@ -327,6 +329,10 @@ public class PipelineProcessor {
        }
        List<Resource> outputFiles = new ArrayList<>();
        for (File file : files) {
+            Path normalizedPath = Paths.get(file.getName()).normalize();
+            if (normalizedPath.startsWith("..")) {
+                throw new SecurityException("Potential path traversal attempt in file name: " + file.getName());
+            }
            Path path = Paths.get(file.getAbsolutePath());
            // debug statement
            log.info("Reading file: " + path);
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java
@ -74,9 +74,19 @@ public class WatermarkController {
    public ResponseEntity<byte[]> addWatermark(@ModelAttribute AddWatermarkRequest request)
            throws IOException, Exception {
        MultipartFile pdfFile = request.getFileInput();
+        String pdfFileName = pdfFile.getOriginalFilename();
+        if (pdfFileName != null && (pdfFileName.contains("..") || pdfFileName.startsWith("/"))) {
+            throw new SecurityException("Invalid file path in pdfFile");
+        }
        String watermarkType = request.getWatermarkType();
        String watermarkText = request.getWatermarkText();
        MultipartFile watermarkImage = request.getWatermarkImage();
+        if (watermarkImage != null) {
+            String watermarkImageFileName = watermarkImage.getOriginalFilename();
+            if (watermarkImageFileName != null && (watermarkImageFileName.contains("..") || watermarkImageFileName.startsWith("/"))) {
+                throw new SecurityException("Invalid file path in watermarkImage");
+            }
+        }
        String alphabet = request.getAlphabet();
        float fontSize = request.getFontSize();
        float rotation = request.getRotation();