Skip to content

Commit

Permalink
Validate image file contents
Browse files Browse the repository at this point in the history
  • Loading branch information
dkayiwa committed Nov 20, 2024
1 parent 5f0124c commit 7f9400f
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import java.util.Map;

import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
Expand Down Expand Up @@ -310,7 +311,7 @@ public List<String> getConceptComplexList() {
ObjectMapper mapper = new ObjectMapper();
TypeReference<ArrayList<String>> typeRef = new TypeReference<ArrayList<String>>() {};
try {
list = mapper.readValue(globalProperty, typeRef);
list = mapper.readValue(StringEscapeUtils.unescapeHtml(globalProperty), typeRef);
}
catch (Exception e) {
log.error("Could not parse global property '" + globalPropertyName + "' into a List<String>.", e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static org.openmrs.module.attachments.AttachmentsContext.getContentFamily;

import java.awt.image.BufferedImage;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
Expand All @@ -11,6 +12,9 @@
import java.util.List;
import java.util.stream.Collectors;

import javax.activation.MimetypesFileTypeMap;
import javax.imageio.ImageIO;

import io.swagger.models.Model;
import io.swagger.models.ModelImpl;
import io.swagger.models.properties.DateProperty;
Expand Down Expand Up @@ -176,6 +180,14 @@ public Object upload(MultipartFile file, RequestContext context) throws Response
}
}

// Verify the file contents
// Just in case the magic bytes are manipulated, we are using the submitted file
// extension to get the mime type
String mimeType = new MimetypesFileTypeMap().getContentType(fileName);
if (mimeType.startsWith("image/") && !isValidImage(file.getInputStream())) {
throw new IllegalRequestException("The file has invalid content");
}

if (visit != null && encounter == null) {
encounter = ctx.getAttachmentEncounter(patient, visit, provider);
}
Expand Down Expand Up @@ -203,6 +215,26 @@ public Object upload(MultipartFile file, RequestContext context) throws Response
new CustomRepresentation(AttachmentsConstants.REPRESENTATION_OBS));
}

private boolean isValidImage(InputStream fileStream) {
try {
BufferedImage image = ImageIO.read(fileStream);
image.getHeight();
image.getWidth();
return true;
}
catch (IOException e) {
return false;
}
finally {
if (fileStream.markSupported()) {
try {
fileStream.reset();
}
catch (IOException e) {}
}
}
}

@Override
public DelegatingResourceDescription getCreatableProperties() {
DelegatingResourceDescription description = new DelegatingResourceDescription();
Expand Down

0 comments on commit 7f9400f

Please sign in to comment.