fix ExceptionCatchFilter consuming multipart bodies incorrectly (#92)

2 files changed, 79 insertions, 12 deletions

diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/filter/ExceptionCatchFilter.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/filter/ExceptionCatchFilter.java
index dc85936a..a597c222 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/filter/ExceptionCatchFilter.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/filter/ExceptionCatchFilter.java
@@ -38,6 +38,7 @@ import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;
 
+import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.MDC;
 
@@ -90,22 +91,25 @@ public class ExceptionCatchFilter implements Filter {
 			throws IOException, ServletException {
 		try {
 
-			if (request instanceof HttpServletRequest) {
-				HttpServletRequest httpRequest = (HttpServletRequest) request;				
-				
-				HttpSession session = httpRequest.getSession(isStatefull(httpRequest.getServletPath()));
+			if (request instanceof HttpServletRequest httpRequest) {
+
+              HttpSession session = httpRequest.getSession(isStatefull(httpRequest.getServletPath()));
 				String sessionId = session != null ? session.getId() : "-";												
 				MDC.put("SESSION_ID", sessionId);				  
 				log.info("Access from IP: {}", getClientIpAddr(httpRequest));
 				log.info("Access to: {} in Session: {}", httpRequest.getServletPath(), sessionId);
-				
-				log.debug("Processing Parameters into Attributes");
-				@SuppressWarnings("unchecked")
-				Enumeration<String> parameterNames = httpRequest.getParameterNames();
-				while (parameterNames.hasMoreElements()) {
-					String name = parameterNames.nextElement();
-					String value = httpRequest.getParameter(name);
-					request.setAttribute(name, value);
+
+				if (!JakartaServletFileUpload.isMultipartContent(httpRequest)) {
+					log.debug("Processing Parameters into Attributes");
+					@SuppressWarnings("unchecked")
+					Enumeration<String> parameterNames = httpRequest.getParameterNames();
+					while (parameterNames.hasMoreElements()) {
+						String name = parameterNames.nextElement();
+						String value = httpRequest.getParameter(name);
+						request.setAttribute(name, value);
+					}
+				} else {
+					log.debug("Skipping global parameter parsing for multipart request");
 				}
 			}
 
diff --git a/pdf-as-web/src/test/java/at/gv/egiz/pdfas/web/test/RealTomcatTests.java b/pdf-as-web/src/test/java/at/gv/egiz/pdfas/web/test/RealTomcatTests.java
new file mode 100644
index 00000000..534df72c
--- /dev/null
+++ b/pdf-as-web/src/test/java/at/gv/egiz/pdfas/web/test/RealTomcatTests.java
@@ -0,0 +1,63 @@
+package at.gv.egiz.pdfas.web.test;
+
+import lombok.SneakyThrows;
+import lombok.val;
+import org.apache.commons.io.IOUtils;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+
+import static org.junit.Assert.*;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+public class RealTomcatTests {
+  @LocalServerPort int port;
+
+  @BeforeAll
+  @SneakyThrows
+  public static void classInitializer() {
+    final String current = new java.io.File(".").getCanonicalPath();
+    System.setProperty("pdf-as-web.conf",
+        current + "/src/test/resources/config/pdfas/pdf-as-web.properties");
+  }
+
+  @BeforeAll
+  public static void jceWorkaround() {
+    System.setProperty("javax.net.ssl.trustStoreType", "JKS");
+  }
+
+  @Test
+  @SneakyThrows
+  public void fileErrorOnNoDocument() {
+    byte[] pdf = IOUtils.toByteArray(RealTomcatTests.class.getResourceAsStream("/data/enc_own.pdf"));
+    val boundary = "----TEST";
+    val prefix = (
+          "--"+boundary+"\r\nContent-Disposition: form-data; name=\"source\"\r\n\r\ninternal\r\n"+
+              "--"+boundary+"\r\nContent-Disposition: form-data; name=\"connector\"\r\n\r\nmobilebku\r\n"+
+              "--"+boundary+"\r\nContent-Disposition: form-data; name=\"pdf-file\"; filename=\"\"\r\nContent-Type: application/pdf\r\n\r\n"
+      ).getBytes(StandardCharsets.UTF_8);
+    val suffix = (
+        "\r\n--"+boundary+"--\r\n"
+      ).getBytes(StandardCharsets.UTF_8);
+    val multipartBody = List.of(prefix, pdf, suffix);
+
+    val client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).build();
+    val request = HttpRequest.newBuilder()
+        .uri(URI.create("http://localhost:"+port+"/Sign"))
+        .header("Content-Type", "multipart/form-data; boundary="+boundary)
+        .POST(HttpRequest.BodyPublishers.ofByteArrays(multipartBody))
+        .build();
+
+    val response = client.send(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
+    assertEquals(200, response.statusCode());
+    assertTrue("Should contain redirect to a-trust", response.body().contains("https-security-layer-request"));
+  }
+}