diff options
| author | Jakob Heher <jakob.heher@iaik.tugraz.at> | 2026-04-16 16:14:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-04-16 16:14:46 +0200 |
| commit | f02ecf0235cb17c90e9d1d8c155bd64e729fa46e (patch) | |
| tree | a7dcd8424a1ecc4683c5fb3f01d73d062a447905 /pdf-as-web/src/main | |
| parent | 77dd3fcc4d85088b15ab859c4438521d9cd6ed10 (diff) | |
| download | pdf-as-4-f02ecf0235cb17c90e9d1d8c155bd64e729fa46e.tar.gz pdf-as-4-f02ecf0235cb17c90e9d1d8c155bd64e729fa46e.tar.bz2 pdf-as-4-f02ecf0235cb17c90e9d1d8c155bd64e729fa46e.zip | |
fix some semgrep reported issues (#83)
Diffstat (limited to 'pdf-as-web/src/main')
6 files changed, 17 insertions, 11 deletions
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java index 6359eccb..0a806369 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java @@ -63,6 +63,7 @@ import at.gv.egiz.pdfas.web.stats.StatisticFrontend; import lombok.extern.slf4j.Slf4j; import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletDiskFileUpload; import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload; +import org.apache.commons.io.FilenameUtils; /** * Servlet implementation class Sign @@ -227,9 +228,10 @@ public class ExternSignServlet extends HttpServlet { if (item.getFieldName().equals(UPLOAD_PDF_DATA)) { filecontent = item.getInputStream().readAllBytes(); try { - File f = new File(item.getName()); + val filename = FilenameUtils.getName(item.getName()); + File f = new File(filename); String name = f.getName(); - log.debug("Got upload: " + item.getName()); + log.debug("Got upload: {}", filename); if (!(name.endsWith(".pdf") || name.endsWith(".PDF"))) { name += ".pdf"; } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java index 869dfdf4..bf3f3f85 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureCertificateData.java @@ -95,15 +95,16 @@ public class PDFSignatureCertificateData extends HttpServlet { "Content-Disposition", "inline;filename=cert_" + id + ".cer"); response.setContentType("application/pkix-cert"); + response.setHeader("X-Content-Type-Options", "nosniff"); OutputStream os = response.getOutputStream(); os.write(res.getSignerCertificate().getEncoded()); os.close(); } else { - logger.warn("Verification CERT not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId()); + logger.warn("Verification CERT not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId()); response.sendError(HttpServletResponse.SC_NOT_FOUND); } } catch (NumberFormatException e) { - logger.warn("Verification CERT not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId()); + logger.warn("Verification CERT not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId()); response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (PdfAsException e) { logger.warn("Verification CERT not found:", e); diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java index 3d96784b..14f13f05 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFSignatureData.java @@ -94,15 +94,16 @@ public class PDFSignatureData extends HttpServlet { "Content-Disposition", "inline;filename=signed_data_" + id + ".pdf"); response.setContentType("application/pdf"); + response.setHeader("X-Content-Type-Options", "nosniff"); OutputStream os = response.getOutputStream(); os.write(res.getSignatureData().getBaseData()); os.close(); } else { - logger.warn("Verification DATA not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId()); + logger.warn("Verification DATA not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId()); response.sendError(HttpServletResponse.SC_NOT_FOUND); } } catch (NumberFormatException e) { - logger.warn("Verification DATA not found! for id " + request.getParameter(SIGN_ID) + " in session " + request.getSession().getId()); + logger.warn("Verification DATA not found! for id {} in session {}", request.getParameter(SIGN_ID), request.getSession().getId()); response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (PdfAsException e) { logger.warn("Verification DATA not found:", e); diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java index d0c331e6..7df32340 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java @@ -93,7 +93,7 @@ public class SLDataURLServlet extends HttpServlet { } - logger.trace("Received SL2.0 command: " + sl20Result); + logger.trace("Received SL2.0 command: {}", sl20Result); //parse SL2.0 command/result into JSON try { @@ -102,7 +102,7 @@ public class SLDataURLServlet extends HttpServlet { } catch (JsonSyntaxException e) { logger.warn("SL2.0 command or result is NOT valid JSON.", e); - logger.debug("SL2.0 msg: " + sl20Result); + logger.debug("SL2.0 msg: {}", sl20Result); throw new SL20Exception("sl20.02", e); } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java index a71a13f4..4a80e25d 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VerifyServlet.java @@ -38,6 +38,7 @@ import org.apache.commons.fileupload2.core.FileItem; import org.apache.commons.fileupload2.core.DiskFileItemFactory; import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletDiskFileUpload; import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload; +import org.apache.commons.io.FilenameUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -209,10 +210,10 @@ public class VerifyServlet extends HttpServlet { if (item.getFieldName().equals(UPLOAD_PDF_DATA)) { filecontent = item.getInputStream().readAllBytes(); try { - File f = new File(item.getName()); + val filename = FilenameUtils.getName(item.getName()); + File f = new File(filename); String name = f.getName(); - logger.debug("Got upload: " - + item.getName()); + logger.debug("Got upload: {}", filename); if (!(name.endsWith(".pdf") || name .endsWith(".PDF"))) { name += ".pdf"; diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java index d67a88c1..eda6eef0 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/VisBlockServlet.java @@ -72,6 +72,7 @@ public class VisBlockServlet extends HttpServlet { response.setHeader("Content-Disposition", "inline;filename=" + profile + "_" + resolution + ".png"); response.setContentType("image/png"); + response.setHeader("X-Content-Type-Options", "nosniff"); OutputStream os = response.getOutputStream(); os.write(imageData); os.close(); |