#419 - check filex extension on server and reject invalid ones

0a8b4fab · Robert Goldmann · 9b15d9e3 · 0a8b4fab · 0a8b4fab · 0a8b4fab
Commit 0a8b4fab authored Mar 14, 2021 by Robert Goldmann
--- a/src/main/java/de/deadlocker8/budgetmaster/images/ImageService.java
+++ b/src/main/java/de/deadlocker8/budgetmaster/images/ImageService.java
 package de.deadlocker8.budgetmaster.images;

 import de.deadlocker8.budgetmaster.services.Resetable;
+import de.thecodelabs.utils.util.Localization;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -9,12 +10,14 @@ import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.multipart.MultipartFile;

 import java.io.IOException;
+import java.util.List;
 import java.util.Optional;

 @Service
 public class ImageService implements Resetable
 {
 	private static final Logger LOGGER = LoggerFactory.getLogger(ImageService.class);
+	private static final List<String> ALLOWED_IMAGE_EXTENSIONS = List.of("png", "jpeg", "jpg");

 	private final ImageRepository imageRepository;

@@ -54,7 +57,7 @@ public class ImageService implements Resetable
 	}

 	@Transactional
-	public void saveImageFile(MultipartFile file) throws IOException
+	public void saveImageFile(MultipartFile file) throws IOException, InvalidFileExtensionException
 	{
 		Byte[] byteObjects = new Byte[file.getBytes().length];

@@ -70,11 +73,18 @@ public class ImageService implements Resetable
 			throw new IllegalArgumentException("Could not determine file extension from file name: " + file.getOriginalFilename());
 		}

-		final Image image = new Image(byteObjects, fileExtensionOptional.get());
+		final String fileExtension = fileExtensionOptional.get();
+		if(!ALLOWED_IMAGE_EXTENSIONS.contains(fileExtension))
+		{
+			throw new InvalidFileExtensionException(Localization.getString("upload.image.error.invalid.extension", fileExtension));
+		}
+
+		final Image image = new Image(byteObjects, fileExtension);
 		imageRepository.save(image);
 	}

-	private Optional<String> getFileExtension(String filename) {
+	private Optional<String> getFileExtension(String filename)
+	{
 		return Optional.ofNullable(filename)
 				.filter(f -> f.contains("."))
 				.map(f -> f.substring(filename.lastIndexOf(".") + 1));

--- a/src/main/java/de/deadlocker8/budgetmaster/images/InvalidFileExtensionException.java
+++ b/src/main/java/de/deadlocker8/budgetmaster/images/InvalidFileExtensionException.java
+package de.deadlocker8.budgetmaster.images;
+
+public class InvalidFileExtensionException extends Exception
+{
+	public InvalidFileExtensionException(String s)
+	{
+		super(s);
+	}
+}
--- a/src/main/java/de/deadlocker8/budgetmaster/images/MediaController.java
+++ b/src/main/java/de/deadlocker8/budgetmaster/images/MediaController.java
@@ -48,6 +48,12 @@ public class MediaController extends BaseController
 			success = false;
 			localizedMessage = Localization.getString("upload.image.error", e.getMessage());
 		}
+		catch(InvalidFileExtensionException e)
+		{
+			e.printStackTrace();
+			success = false;
+			localizedMessage = e.getMessage();
+		}

 		final JsonObject data = new JsonObject();
 		data.addProperty("isUploadSuccessful", success);

--- a/src/main/resources/languages/base_de.properties
+++ b/src/main/resources/languages/base_de.properties
@@ -141,6 +141,7 @@ notification.settings.database.delete.success=Datenbank erfolgreich gelöscht
 notification.settings.database.import.success=Import erfolgreich: {0} Konten, {1} Buchungen, {2} Kategorien, {3} Vorlagen und {4} Diagramme
 upload.image.success=Erfolgreich hochgeladen
 upload.image.error=Fehler: {0}
+upload.image.error.invalid.extension=Die Dateiendung "{0}" is nicht zugelassen für das Hochladen von Bildern

 # WARNING
 warning.text.account.delete=Das Konto "{0}" kann nicht gelöscht werden, da mindestens ein Konto existieren muss. Um dieses Konto zu löschen musst du zuerst ein neues anlegen.

--- a/src/main/resources/languages/base_en.properties
+++ b/src/main/resources/languages/base_en.properties
@@ -141,6 +141,7 @@ notification.settings.database.delete.success=Successfully deleted database
 notification.settings.database.import.success=Import successful: {0} accounts, {1} transactions, {2} categories, {3} templates and {4} charts
 upload.image.success=Upload successful
 upload.image.error=Error: {0}
+upload.image.error.invalid.extension=File extension "{0}" is not allowed for image upload

 # WARNING
 warning.text.account.delete=The account "{0}" could not be deleted, because at least one account must exist at all time. You have to create a new account in order to delete this one.