com.adobe.cq.social.ugcbase.core.attachments.AttachmentUtils Maven / Gradle / Ivy
/*************************************************************************
*
* ADOBE CONFIDENTIAL
* __________________
*
* Copyright 2016 Adobe Systems Incorporated
* All Rights Reserved.
*
* NOTICE: All information contained herein is, and remains
* the property of Adobe Systems Incorporated and its suppliers,
* if any. The intellectual and technical concepts contained
* herein are proprietary to Adobe Systems Incorporated and its
* suppliers and are protected by trade secret or copyright law.
* Dissemination of this information or reproduction of this material
* is strictly forbidden unless prior written permission is obtained
* from Adobe Systems Incorporated.
**************************************************************************/
package com.adobe.cq.social.ugcbase.core.attachments;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import javax.activation.DataSource;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.adobe.cq.social.ugcbase.osgi.BundleServices;
import com.adobe.cq.social.ugcbase.security.AttachmentTypeBlacklistService;
public class AttachmentUtils {
private AttachmentUtils() {
}
/**
* For logging.
*/
private static final Logger LOG = LoggerFactory.getLogger(AttachmentUtils.class);
public static Iterable getAttachmentsFromDataSources(final Iterable attachmentList,
final FileUploadSizeLimit fileUploadSizeLimit, final Set whitelist, final String[] blacklist) {
final List attachments = new ArrayList();
for (final FileDataSource attachmentDataSource : attachmentList) {
final FileDataSource filteredAttachment =
getAttachmentFromDataSource(attachmentDataSource, fileUploadSizeLimit, whitelist, blacklist);
if (filteredAttachment != null) {
attachments.add(filteredAttachment);
}
}
return attachments;
}
/**
* Utility to check file against the specified white list and black list.
* @param attachmentDataSource Data Source of the attachment
* @param fileUploadSizeLimit size limits of the file
* @param whitelist comma separated extensions of allowed file types
* @param blacklistIn Black list of harmful files
* @return attachment Data Source
*/
public static FileDataSource getAttachmentFromDataSource(final FileDataSource attachmentDataSource,
final FileUploadSizeLimit fileUploadSizeLimit, final Set whitelist, final String[] blacklistIn) {
/*
* getService guarantees to return the requested service or throw an exception (when running in an OSGI
* container) When running outside an OSGI container (such as during a unit test) getService will return null.
*/
final AttachmentTypeBlacklistService attachmentTypeBlacklistService =
BundleServices.getService(AttachmentTypeBlacklistService.class);
String[] blacklist = blacklistIn;
if (attachmentTypeBlacklistService != null) {
blacklist = attachmentTypeBlacklistService.getBlacklist(blacklistIn);
}
if (fileUploadSizeLimit.fits(attachmentDataSource)) {
final String contentFileType = attachmentDataSource.getTypeFromFileName();
final String contentType = attachmentDataSource.getType();
if (StringUtils.isNotBlank(contentFileType) && !ArrayUtils.contains(blacklist, contentFileType)) {
if (whitelist != null && !whitelist.isEmpty()) {
if (StringUtils.isNotBlank(contentType) && whitelist.contains(contentType)
&& !ArrayUtils.contains(blacklist, contentType)) {
return attachmentDataSource;
} else {
if (StringUtils.isNotBlank(contentType)) {
LOG.info("File of type " + contentType
+ " is blacklisted for security reasons. To upload edit the"
+ " servlet's attachment black list");
} else {
LOG.info("Tika couldn't figure out the file type. Not attaching it as"
+ " it is suspicious");
}
}
} else {
if (StringUtils.isNotBlank(contentType) && !ArrayUtils.contains(blacklist, contentType)) {
return attachmentDataSource;
} else {
if (StringUtils.isNotBlank(contentType)) {
LOG.info("File of type " + contentType
+ " is blacklisted for security reasons. To upload edit the"
+ " servlet's attachment black list");
} else {
LOG.info("Tika couldn't figure out the file type. Not attaching it as"
+ " it is suspicious");
}
}
}
} else {
if (StringUtils.isNotBlank(contentFileType)) {
LOG.info("File of type " + contentFileType + "with name " + attachmentDataSource.getName()
+ " is blacklisted for security reasons. To upload edit the"
+ " servlet's attachment black list");
} else {
LOG.info("File doesn't have a valid extension. Not attaching it as it is suspicious");
}
}
} else {
LOG.info("File bigger than specified size, so ignoring the attachment");
}
return null;
}
}