From d2fcbff06993f902c5fad07b68fe115cac454544 Mon Sep 17 00:00:00 2001 From: netroms Date: Sun, 10 Nov 2024 03:19:13 +0800 Subject: [PATCH] feat: add more validation to file upload (#19104) --- .../controller/FileResourceControllerTest.java | 18 ++++++++++++++++++ .../controller/FileResourceController.java | 6 ++++++ .../dhis/webapi/utils/FileResourceUtils.java | 15 +++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java index 58dadbee7fcb..acef49bdd61b 100644 --- a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java +++ b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/FileResourceControllerTest.java @@ -67,6 +67,17 @@ void testSaveBadAvatarImageData() { assertEquals("Failed to resize image: src cannot be null", errorMessage.string()); } + @Test + void testSaveBadOrgUnitImageData() { + MockMultipartFile image = + new MockMultipartFile( + "file", "OU_profile_image.png", "image/png", "<>".getBytes()); + HttpResponse response = POST_MULTIPART("/fileResources?domain=ORG_UNIT", image); + JsonString errorMessage = + response.content(HttpStatus.INTERNAL_SERVER_ERROR).getString("message"); + assertEquals("Failed to resize image: src cannot be null", errorMessage.string()); + } + @Test void testSaveBadAvatarContentType() { MockMultipartFile image = @@ -122,6 +133,13 @@ void testSaveOrgUnitImage() throws IOException { JsonObject savedObject = response.content(HttpStatus.ACCEPTED).getObject("response").getObject("fileResource"); assertEquals("OU_profile_image.png", savedObject.getString("name").string()); + + String uid = savedObject.getString("id").string(); + JsonObject fr = GET("/fileResources/{uid}", uid).content(); + assertEquals("ORG_UNIT", fr.getString("domain").string()); + + JsonObject large = GET("/fileResources/{uid}?dimension=LARGE", uid).content(); + assertEquals("ORG_UNIT", large.getString("domain").string()); } @Test diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java index 0b2303570479..8bde4aeff7ac 100644 --- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java +++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/FileResourceController.java @@ -156,6 +156,12 @@ public WebMessage saveFileResource( fileResource = fileResourceUtils.saveFileResource(uid, resizeAvatarToDefaultSize(file), domain); + } else if (domain.equals(FileResourceDomain.ORG_UNIT)) { + fileResourceUtils.validateOrgUnitImage(file); + fileResource = + fileResourceUtils.saveFileResource( + uid, fileResourceUtils.resizeOrgToDefaultSize(file), domain); + } else { fileResource = fileResourceUtils.saveFileResource(uid, file, domain); } diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java index 68165220bb0c..200e7b08a612 100644 --- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java +++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/utils/FileResourceUtils.java @@ -81,7 +81,11 @@ public class FileResourceUtils { private static final int AVATAR_TARGET_HEIGHT = 200; private static final int AVATAR_TARGET_WIDTH = 200; + private static final int ORGUNIT_TARGET_HEIGHT = 800; + private static final int ORGUNIT_TARGET_WIDTH = 800; + private static final long MAX_AVATAR_IMAGE_SIZE_IN_BYTES = 2_000_000; + private static final long MAX_ORGUNIT_IMAGE_SIZE_IN_BYTES = 8_000_000; private static final List ALLOWED_IMAGE_FILE_EXTENSIONS = List.of("jpg", "jpeg", "png", "gif"); @@ -240,6 +244,12 @@ public void validateUserAvatar(MultipartFile file) { validateFileSize(file, MAX_AVATAR_IMAGE_SIZE_IN_BYTES); } + public void validateOrgUnitImage(MultipartFile file) { + validateContentType(file.getContentType(), ALLOWED_IMAGE_MIME_TYPES); + validateFileExtension(file.getOriginalFilename(), ALLOWED_IMAGE_FILE_EXTENSIONS); + validateFileSize(file, MAX_ORGUNIT_IMAGE_SIZE_IN_BYTES); + } + private void validateContentType(String contentType, List validExtensions) { if (contentType == null) { throw new IllegalQueryException("Invalid content type, content type is NULL"); @@ -312,4 +322,9 @@ public static MultipartFile resizeAvatarToDefaultSize(MultipartFile multipartFil return resizeImageToCustomSize( multipartFile, AVATAR_TARGET_WIDTH, AVATAR_TARGET_HEIGHT, Mode.AUTOMATIC); } + + public MultipartFile resizeOrgToDefaultSize(MultipartFile multipartFile) throws IOException { + return resizeImageToCustomSize( + multipartFile, ORGUNIT_TARGET_WIDTH, ORGUNIT_TARGET_HEIGHT, Mode.AUTOMATIC); + } }