MagicNumber validation

Author: matisovaa

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/factory/panel/UploadDownloadPanelFactory.java

@@ -24,7 +24,7 @@
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.web.component.input.UploadDownloadPanel;
-import com.evolveum.midpoint.web.component.input.validator.FileValidatorFactory;
+import com.evolveum.midpoint.web.component.input.validator.FileValidatorUtil;
 import com.evolveum.midpoint.web.component.prism.InputPanel;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 
@@ -95,7 +95,7 @@ public List<String> getAllowedUploadContentTypes() {
                 ItemPath path = panelCtx.getValueWrapperModel().getObject().getParent().getPath();
 
                 if (Objects.equals(path, ItemPath.create(FocusType.F_JPEG_PHOTO))) {
-                    return FileValidatorFactory.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES;
+                    return FileValidatorUtil.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES;
                 }
 
                 return super.getAllowedUploadContentTypes();

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/input/UploadDownloadPanel.java

@@ -11,6 +11,7 @@
 import java.io.Serial;
 import java.net.URLConnection;
 import java.util.ArrayList;
+import java.util.HexFormat;
 import java.util.List;
 
 import jakarta.activation.MimeType;
@@ -34,7 +35,7 @@
 import com.evolveum.midpoint.web.component.prism.InputPanel;
 import com.evolveum.midpoint.web.component.util.VisibleBehaviour;
 import com.evolveum.midpoint.web.component.input.validator.ContentTypeFileValidator;
-import com.evolveum.midpoint.web.component.input.validator.FileValidatorFactory;
+import com.evolveum.midpoint.web.component.input.validator.FileValidatorUtil;
 
 /**
  * @author shood
@@ -123,20 +124,32 @@ protected void onError(AjaxRequestTarget target) {
             }
 
             final String label = fileUpload.getLabel() != null ? fileUpload.getLabel().getObject() : fileUpload.getId();
-            final List<MimeType> allowedTypes = FileValidatorFactory.getMimeTypes(getAllowedUploadContentTypes());
+            final List<MimeType> allowedTypes = FileValidatorUtil.getMimeTypes(getAllowedUploadContentTypes());
 
             try {
                 for (FileUpload fu : list) {
+                    final String contentType = fu.getContentType();
+
                     final ContentTypeFileValidator contentTypeFileValidator = new ContentTypeFileValidator(allowedTypes);
-                    final String deniedContentType = contentTypeFileValidator.validate(fu);
+                    final String deniedContentType = contentTypeFileValidator.validate(contentType);
                     if (!"".equals(deniedContentType)) {
                         String msg = getPageBase().getString("UploadDownloadPanel.validationContentNotAllowed", label, deniedContentType);
                         validatable.error(new ValidationError(msg));
                     }
+
+                    final String magicNumberForContentType = FileValidatorUtil.CONTENT_TYPES_TO_MAGIC_NUMBERS.get(contentType);
+                    final String magicNumberOfFile = HexFormat.of().formatHex(getInputStream().readNBytes(magicNumberForContentType.length() / 2));
+                    if (magicNumberForContentType != null && !magicNumberForContentType.equals(magicNumberOfFile)) {
+                        String msg = getPageBase().getString("UploadDownloadPanel.validationContentNotMatchAllowed", label, contentType);
+                        validatable.error(new ValidationError(msg));
+                    }
                 }
             } catch (MimeTypeParseException ex) {
                 String msg = getPageBase().getString("UploadDownloadPanel.validationContentNotAllowed", label, ex.getMessage());
                 validatable.error(new ValidationError(msg));
+            } catch (IOException ex) {
+                String msg = getPageBase().getString("UploadDownloadPanel.validationContentNotMatchAllowed", label, ex.getMessage());
+                validatable.error(new ValidationError(msg));
             }
         });
         fileUpload.setOutputMarkupId(true);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/input/validator/ContentTypeFileValidator.java

@@ -8,7 +8,6 @@
 
 import jakarta.activation.MimeType;
 import jakarta.activation.MimeTypeParseException;
-import org.apache.wicket.markup.html.form.upload.FileUpload;
 
 import java.util.List;
 
@@ -19,13 +18,12 @@
 public class ContentTypeFileValidator {
     private final List<MimeType> allowedTypes;
 
-    public ContentTypeFileValidator(List<MimeType> allowedTypes) {
+    public ContentTypeFileValidator(final List<MimeType> allowedTypes) {
         this.allowedTypes = allowedTypes;
     }
 
-    public String validate(final FileUpload fileUpload) throws MimeTypeParseException {
-        String contentType = fileUpload.getContentType();
-        MimeType fileMime = new MimeType(contentType);
+    public String validate(final String contentType) throws MimeTypeParseException {
+        final MimeType fileMime = new MimeType(contentType);
 
         for (MimeType allowed : allowedTypes) {
             if (allowed.match(fileMime)) {

…nput/validator/FileValidatorFactory.java …t/input/validator/FileValidatorUtil.javagui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/input/validator/FileValidatorFactory.java renamed to gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/input/validator/FileValidatorUtil.java gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/input/validator/FileValidatorFactory.java renamed to gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/input/validator/FileValidatorUtil.java

@@ -9,9 +9,7 @@
 import jakarta.activation.MimeType;
 import jakarta.activation.MimeTypeParseException;
 
-import java.util.Arrays;
-import java.util.List;
-import java.util.Objects;
+import java.util.*;
 
 import static com.evolveum.midpoint.common.MimeTypeUtil.MIME_IMAGE_JPEG;
 import static com.evolveum.midpoint.common.MimeTypeUtil.MIME_IMAGE_PNG;
@@ -20,8 +18,12 @@
  * @author matisovaa
  *
  */
-public class FileValidatorFactory {
+public class FileValidatorUtil {
     public static final List<String> ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES = Arrays.asList(MIME_IMAGE_JPEG, MIME_IMAGE_PNG);
+    public static final Map<String, String> CONTENT_TYPES_TO_MAGIC_NUMBERS = Map.of(
+            MIME_IMAGE_JPEG, "ffd8ff",
+            MIME_IMAGE_PNG, "89504e470d0a1a0a"
+    );
 
     public static List<MimeType> getMimeTypes(final List<String> stringMimeTypes) {
         return stringMimeTypes.stream()

gui/admin-gui/src/test/java/com/evolveum/midpoint/web/component/FileValidatorTest.java

@@ -6,23 +6,13 @@
 
 package com.evolveum.midpoint.web.component;
 
-import org.apache.commons.fileupload2.core.FileItem;
-import org.apache.commons.fileupload2.core.FileItemHeaders;
-import org.apache.commons.fileupload2.core.FileItemHeadersProvider;
-import org.apache.wicket.markup.html.form.upload.FileUpload;
 import org.springframework.test.context.ActiveProfiles;
 import org.testng.annotations.Test;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.nio.charset.Charset;
-import java.nio.file.Path;
-
 import static com.evolveum.midpoint.common.MimeTypeUtil.*;
 
 import com.evolveum.midpoint.web.component.input.validator.ContentTypeFileValidator;
-import com.evolveum.midpoint.web.component.input.validator.FileValidatorFactory;
+import com.evolveum.midpoint.web.component.input.validator.FileValidatorUtil;
 
 import static org.testng.Assert.assertEquals;
 
@@ -35,117 +25,25 @@ public class FileValidatorTest {
 
     @Test
     public void test4299ContentTypeFileValidator_validJPEG() throws Exception {
-        final FileUpload fu = new FileUpload(this.getFileItem(MIME_IMAGE_JPEG));
         final ContentTypeFileValidator contentTypeFileValidator =
-                new ContentTypeFileValidator(FileValidatorFactory.getMimeTypes(FileValidatorFactory.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES));
-        final String deniedContentType = contentTypeFileValidator.validate(fu);
+                new ContentTypeFileValidator(FileValidatorUtil.getMimeTypes(FileValidatorUtil.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES));
+        final String deniedContentType = contentTypeFileValidator.validate(MIME_IMAGE_JPEG);
         assertEquals(deniedContentType, "");
     }
 
     @Test
     public void test4299ContentTypeFileValidator_validPNG() throws Exception {
-        final FileUpload fu = new FileUpload(this.getFileItem(MIME_IMAGE_PNG));
         final ContentTypeFileValidator contentTypeFileValidator =
-                new ContentTypeFileValidator(FileValidatorFactory.getMimeTypes(FileValidatorFactory.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES));
-        final String deniedContentType = contentTypeFileValidator.validate(fu);
+                new ContentTypeFileValidator(FileValidatorUtil.getMimeTypes(FileValidatorUtil.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES));
+        final String deniedContentType = contentTypeFileValidator.validate(MIME_IMAGE_PNG);
         assertEquals(deniedContentType, "");
     }
 
     @Test
     public void test4299ContentTypeFileValidator_invalid() throws Exception {
-        final FileUpload fu = new FileUpload(this.getFileItem(MIME_APPLICATION_XML));
         final ContentTypeFileValidator contentTypeFileValidator =
-                new ContentTypeFileValidator(FileValidatorFactory.getMimeTypes(FileValidatorFactory.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES));
-        final String deniedContentType = contentTypeFileValidator.validate(fu);
+                new ContentTypeFileValidator(FileValidatorUtil.getMimeTypes(FileValidatorUtil.ALLOWED_UPLOAD_IMAGE_CONTENT_TYPES));
+        final String deniedContentType = contentTypeFileValidator.validate(MIME_APPLICATION_XML);
         assertEquals(deniedContentType, MIME_APPLICATION_XML);
     }
-
-    private FileItem getFileItem(final String contentType) {
-        return new FileItem() {
-            @Override
-            public FileItem delete() throws IOException {
-                return null;
-            }
-
-            @Override
-            public byte[] get() throws IOException {
-                return new byte[0];
-            }
-
-            @Override
-            public String getContentType() {
-                return contentType;
-            }
-
-            @Override
-            public String getFieldName() {
-                return "";
-            }
-
-            @Override
-            public InputStream getInputStream() throws IOException {
-                return null;
-            }
-
-            @Override
-            public String getName() {
-                return "";
-            }
-
-            @Override
-            public OutputStream getOutputStream() throws IOException {
-                return null;
-            }
-
-            @Override
-            public long getSize() {
-                return 0;
-            }
-
-            @Override
-            public String getString() throws IOException {
-                return "";
-            }
-
-            @Override
-            public String getString(Charset charset) throws IOException {
-                return "";
-            }
-
-            @Override
-            public boolean isFormField() {
-                return false;
-            }
-
-            @Override
-            public boolean isInMemory() {
-                return false;
-            }
-
-            @Override
-            public FileItem setFieldName(String s) {
-                return null;
-            }
-
-            @Override
-            public FileItem setFormField(boolean b) {
-                return null;
-            }
-
-            @Override
-            public FileItem write(Path path) throws IOException {
-                return null;
-            }
-
-            @Override
-            public FileItemHeaders getHeaders() {
-                return null;
-            }
-
-            @Override
-            public FileItemHeadersProvider setHeaders(FileItemHeaders fileItemHeaders) {
-                return null;
-            }
-        };
-    }
 }