fix some semgrep reported issues (#83)

9 files changed, 32 insertions, 34 deletions

diff --git a/pdf-as-common/src/main/java/at/gv/egiz/pdfas/common/utils/TempFileHelper.java b/pdf-as-common/src/main/java/at/gv/egiz/pdfas/common/utils/TempFileHelper.java
index 0a1c0c1a..1d2096b9 100644
--- a/pdf-as-common/src/main/java/at/gv/egiz/pdfas/common/utils/TempFileHelper.java
+++ b/pdf-as-common/src/main/java/at/gv/egiz/pdfas/common/utils/TempFileHelper.java
@@ -30,6 +30,8 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
 
+import lombok.Lombok;
+import lombok.SneakyThrows;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -46,15 +48,21 @@ public class TempFileHelper implements IProfileConstants {
 
     private String tmpDir = "tmp";
 
-    private MessageDigest messageDigest = null;
+    private static final MessageDigest messageDigest;
 
-    private List<String> tmpFiles = new ArrayList<String>();
+    static {
+        try {
+          messageDigest = MessageDigest.getInstance("SHA-256");
+        } catch (NoSuchAlgorithmException e) {
+          throw Lombok.sneakyThrow(e);
+        }
+    }
+
+  private List<String> tmpFiles = new ArrayList<String>();
     
     private boolean needsDeletion = false;
     
     public TempFileHelper(ISettings settings) {
-    	initializeMD();
-    	
     	String myTmpDir = settings.getValue(TMP_DIR);
     	if(myTmpDir != null) {
     		File myTmpDirFile = new File(myTmpDir);
@@ -106,22 +114,6 @@ public class TempFileHelper implements IProfileConstants {
         }
     }
 
-    private void initializeMD() {
-        try {
-            messageDigest = MessageDigest.getInstance("SHA1");
-            return;
-        } catch (NoSuchAlgorithmException e) {
-            logger.warn("SHA1 not available", e);
-        }
-        try {
-            messageDigest = MessageDigest.getInstance("MD5");
-            return;
-        } catch (NoSuchAlgorithmException e) {
-            logger.warn("MD5 not available", e);
-        }
-        throw new RuntimeException("Need at least SHA1 or MD5 Message Digest, none available!");
-    }
-
 
     public void setTemporaryDirectory(String directory) {
         tmpDir = directory;
diff --git a/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/stamping/pdfbox2/PDFAsVisualSignatureBuilder.java b/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/stamping/pdfbox2/PDFAsVisualSignatureBuilder.java
index 5501eff8..50268a1c 100644
--- a/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/stamping/pdfbox2/PDFAsVisualSignatureBuilder.java
+++ b/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/stamping/pdfbox2/PDFAsVisualSignatureBuilder.java
@@ -127,9 +127,9 @@ public class PDFAsVisualSignatureBuilder extends PDVisibleSigBuilder implements
 
 	public String createHashedId(String value) {
 		try {
-			MessageDigest md = MessageDigest.getInstance("SHA-1");
+			MessageDigest md = MessageDigest.getInstance("SHA-256");
 			md.reset();
-			return Hex.encodeHexString(md.digest(value.getBytes("UTF-8")));
+			return Hex.encodeHexString(md.digest(value.getBytes(StandardCharsets.UTF_8)));
 		} catch (Throwable e) {
 			logger.warn("Failed to generate ID for Image using value", e);
 			return value;
diff --git a/pdf-as-web-status/src/main/java/at/gv/egiz/status/servlet/StatusServlet.java b/pdf-as-web-status/src/main/java/at/gv/egiz/status/servlet/StatusServlet.java
index 07b77c38..43533a97 100644
--- a/pdf-as-web-status/src/main/java/at/gv/egiz/status/servlet/StatusServlet.java
+++ b/pdf-as-web-status/src/main/java/at/gv/egiz/status/servlet/StatusServlet.java
@@ -82,7 +82,7 @@ public class StatusServlet extends HttpServlet {
 			content = ContentType.HTML.toString();
 		} 
 
-		log.debug("Producing Content: " + content);
+		log.debug("Producing Content: {}", content);
 		
 		// Parameter to force execution
 		boolean force = true;
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java
index 6359eccb..0a806369 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java
@@ -63,6 +63,7 @@ import at.gv.egiz.pdfas.web.stats.StatisticFrontend;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletDiskFileUpload;
 import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload;
+import org.apache.commons.io.FilenameUtils;
 
 /**
  * Servlet implementation class Sign
@@ -227,9 +228,10 @@ public class ExternSignServlet extends HttpServlet {
                       if (item.getFieldName().equals(UPLOAD_PDF_DATA)) {
                         filecontent = item.getInputStream().readAllBytes();
                         try {
-                          File f = new File(item.getName());
+						  val filename = FilenameUtils.getName(item.getName());
+                          File f = new File(filename);
                           String name = f.getName();
-                          log.debug("Got upload: " + item.getName());
+                          log.debug("Got upload: {}", filename);
                           if (!(name.endsWith(".pdf") || name.endsWith(".PDF"))) {
                             name += ".pdf";
                           }
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java
index 869dfdf4..bf3f3f85 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java
@@ -95,15 +95,16 @@ public class PDFSignatureCertificateData  extends HttpServlet {
 						"Content-Disposition",
 						"inline;filename=cert_" + id + ".cer");
 				response.setContentType("application/pkix-cert");
+				response.setHeader("X-Content-Type-Options", "nosniff");
 				OutputStream os = response.getOutputStream();
 				os.write(res.getSignerCertificate().getEncoded());
 				os.close();
 			} else {
-				logger.warn("Verification CERT not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId());
+				logger.warn("Verification CERT not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId());
 				response.sendError(HttpServletResponse.SC_NOT_FOUND);
 			}
 		} catch (NumberFormatException e) {
-			logger.warn("Verification CERT not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId());
+			logger.warn("Verification CERT not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId());
 			response.sendError(HttpServletResponse.SC_NOT_FOUND);
 		} catch (PdfAsException e) {
 			logger.warn("Verification CERT not found:", e);
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java
index 3d96784b..14f13f05 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java
@@ -94,15 +94,16 @@ public class PDFSignatureData extends HttpServlet {
 						"Content-Disposition",
 						"inline;filename=signed_data_" + id + ".pdf");
 				response.setContentType("application/pdf");
+				response.setHeader("X-Content-Type-Options", "nosniff");
 				OutputStream os = response.getOutputStream();
 				os.write(res.getSignatureData().getBaseData());
 				os.close();
 			} else {
-				logger.warn("Verification DATA not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId());
+				logger.warn("Verification DATA not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId());
 				response.sendError(HttpServletResponse.SC_NOT_FOUND);
 			}
 		} catch (NumberFormatException e) {
-			logger.warn("Verification DATA not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId());
+			logger.warn("Verification DATA not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId());
 			response.sendError(HttpServletResponse.SC_NOT_FOUND);
 		} catch (PdfAsException e) {
 			logger.warn("Verification DATA not found:", e);
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java
index d0c331e6..7df32340 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java
@@ -93,7 +93,7 @@ public class SLDataURLServlet extends HttpServlet {
 				
 			}
 
-			logger.trace("Received SL2.0 command: " + sl20Result);		
+			logger.trace("Received SL2.0 command: {}", sl20Result);
 			
 			//parse SL2.0 command/result into JSON				
 			try {
@@ -102,7 +102,7 @@ public class SLDataURLServlet extends HttpServlet {
 				
 			} catch (JsonSyntaxException e) {
 				logger.warn("SL2.0 command or result is NOT valid JSON.", e);
-				logger.debug("SL2.0 msg: " + sl20Result);
+				logger.debug("SL2.0 msg: {}", sl20Result);
 				throw new SL20Exception("sl20.02", e);
 				
 			}
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java
index a71a13f4..4a80e25d 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java
@@ -38,6 +38,7 @@ import org.apache.commons.fileupload2.core.FileItem;
 import org.apache.commons.fileupload2.core.DiskFileItemFactory;
 import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletDiskFileUpload;
 import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload;
+import org.apache.commons.io.FilenameUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -209,10 +210,10 @@ public class VerifyServlet extends HttpServlet {
                       if (item.getFieldName().equals(UPLOAD_PDF_DATA)) {
                         filecontent = item.getInputStream().readAllBytes();
                         try {
-                          File f = new File(item.getName());
+						  val filename = FilenameUtils.getName(item.getName());
+                          File f = new File(filename);
                           String name = f.getName();
-                          logger.debug("Got upload: "
-                              + item.getName());
+                          logger.debug("Got upload: {}", filename);
                           if (!(name.endsWith(".pdf") || name
                               .endsWith(".PDF"))) {
                             name += ".pdf";
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java
index d67a88c1..eda6eef0 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java
@@ -72,6 +72,7 @@ public class VisBlockServlet extends HttpServlet {
 				response.setHeader("Content-Disposition", "inline;filename="
 						+ profile + "_" + resolution + ".png");
 				response.setContentType("image/png");
+				response.setHeader("X-Content-Type-Options", "nosniff");
 				OutputStream os = response.getOutputStream();
 				os.write(imageData);
 				os.close();