Create FileValidator to check Uploaded Files

Author: JadnK

src/main/java/de/jadenk/springcloud/controller/DashboardController.java

@@ -1,13 +1,16 @@
 package de.jadenk.springcloud.controller;
 
 import de.jadenk.springcloud.dto.UserDTO;
+import de.jadenk.springcloud.exception.CustomIllegalArgumentException;
+import de.jadenk.springcloud.exception.CustomRuntimeException;
 import de.jadenk.springcloud.exception.ResourceNotFoundException;
 import de.jadenk.springcloud.model.*;
 import de.jadenk.springcloud.repository.FileAuthorizationRepository;
 import de.jadenk.springcloud.repository.FolderRepository;
 import de.jadenk.springcloud.repository.UploadedFileRepository;
 import de.jadenk.springcloud.repository.UserRepository;
 import de.jadenk.springcloud.service.*;
+import de.jadenk.springcloud.util.FileValidator;
 import de.jadenk.springcloud.util.MessageService;
 import de.jadenk.springcloud.util.WebhookEvent;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -146,6 +149,8 @@ public String dashboard(@RequestParam(value = "error", required = false) String
             model.addAttribute("error", "There is an current Upload in Progress.");
         } else if ("NoAccess".equals(error)) {
             model.addAttribute("error", "You aren't Allowed to see this.");
+        } else if ("metaData".equals(error)) {
+            model.addAttribute("error", "Invalid File Meta-Data.");
         } else if (error != null) {
             model.addAttribute("error", "An Error occurred.");
         }
@@ -201,6 +206,14 @@ public String deleteFolder(@RequestParam Long folderId, Principal principal) {
     // =========================
     // Datei-Upload
     // =========================
+    private boolean isValidContentType(String contentType) {
+        return contentType.matches("(?i)(image/(png|jpg|jpeg|gif|bmp|tiff|webp)|" +
+                "application/(pdf|msword|vnd\\.ms-excel|vnd\\.ms-powerpoint)|" +
+                "text/(plain|csv|rtf)|" +
+                "audio/(mp3|wav|ogg|flac)|" +
+                "video/(mp4|mov|avi|mkv|wmv)|" +
+                "application/(zip|x-rar-compressed|x-7z-compressed|x-tar|gzip|bzip2))");
+    }
     /*
      * POST /upload
      * Upload von einem oder mehreren Dateien
@@ -221,10 +234,12 @@ public String handleUpload(@RequestParam("file") MultipartFile[] files,
             }
 
             for (MultipartFile file : files) {
-                if (!file.isEmpty()) {
-                    fileUploadService.uploadFile(file, currentUser, folder);
+                if (!FileValidator.isValid(file)) {
+                    return "redirect:/dashboard?error=metaData";
                 }
+                fileUploadService.uploadFile(file, currentUser, folder);
             }
+
         } catch (Exception e) {
             e.printStackTrace();
             return "redirect:/dashboard?error=uploadError";

src/main/java/de/jadenk/springcloud/exception/CustomIllegalArgumentException.java

@@ -0,0 +1,9 @@
+package de.jadenk.springcloud.exception;
+
+public class CustomIllegalArgumentException extends IllegalArgumentException {
+
+    public CustomIllegalArgumentException(String msg) {
+        super(msg);
+    }
+
+}

src/main/java/de/jadenk/springcloud/exception/GlobalExceptionHandler.java

@@ -21,4 +21,9 @@ public void handleCustomRuntimeException(CustomRuntimeException ex) {
     public String handleResourceNotFound() {
         return "redirect:/dashboard?error=NoAccess";
     }
+
+    @ExceptionHandler(CustomIllegalArgumentException.class)
+    public String handleIllegalArgument() {
+        return "redirect:/dashboard?error=metaData";
+    }
 }

src/main/java/de/jadenk/springcloud/service/FileUploadService.java

@@ -44,6 +44,7 @@ public class FileUploadService {
 
 
     public void uploadFile(MultipartFile file, User owner, Folder folder) throws IOException {
+
         FileUploadProgressListener progressListener = new FileUploadProgressListener(file);
 
         byte[] fileBytes = file.getBytes();

src/main/java/de/jadenk/springcloud/util/FileValidator.java

@@ -0,0 +1,40 @@
+package de.jadenk.springcloud.util;
+
+import java.net.URLConnection;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.springframework.web.multipart.MultipartFile;
+
+public class FileValidator {
+
+    // verbotene Endungen
+    private static final Set<String> BLOCKED_EXTENSIONS = new HashSet<>(Arrays.asList(
+            "cmd", "msi", "com", "php", "html"
+    ));
+
+    /**
+     * Prüft, ob Datei gültig ist:
+     * - Endung nicht in Blocklist
+     * - Content-Type wird von Java erkannt
+     */
+    public static boolean isValid(MultipartFile file) {
+        if (file == null || file.isEmpty()) return false;
+
+        String filename = file.getOriginalFilename();
+
+        if (filename == null || filename.isEmpty()) return false;
+
+        int dotIndex = filename.lastIndexOf('.');
+        if (dotIndex < 0) return false;
+        String ext = filename.substring(dotIndex + 1).toLowerCase();
+
+        if (BLOCKED_EXTENSIONS.contains(ext)) return false;
+
+        String guessedType = URLConnection.guessContentTypeFromName(filename);
+        if (guessedType == null) return false;
+
+        return true;
+    }
+}