Validate uploaded file to check that it's an image in PNG/JPEG formats.

Fix #128

Author: php-coder

src/main/java/ru/mystamps/web/model/AddImageForm.java

@@ -26,6 +26,7 @@
 import lombok.Setter;
 
 import ru.mystamps.web.service.dto.AddImageDto;
+import ru.mystamps.web.validation.jsr303.ImageFile;
 import ru.mystamps.web.validation.jsr303.NotEmptyFile;
 import ru.mystamps.web.validation.jsr303.NotEmptyFilename;
 
@@ -36,11 +37,13 @@ public class AddImageForm implements AddImageDto {
 	@NotNull
 	@NotEmptyFilename(groups = Image1Checks.class)
 	@NotEmptyFile(groups = Image2Checks.class)
+	@ImageFile(groups = Image3Checks.class)
 	private MultipartFile image;
 
 	@GroupSequence({
 		Image1Checks.class,
-		Image2Checks.class
+		Image2Checks.class,
+		Image3Checks.class
 	})
 	public interface ImageChecks {
 	}
@@ -51,4 +54,7 @@ public interface Image1Checks {
 	public interface Image2Checks {
 	}
 
+	public interface Image3Checks {
+	}
+	
 }

src/main/java/ru/mystamps/web/model/AddSeriesForm.java

@@ -34,6 +34,7 @@
 import ru.mystamps.web.entity.Currency;
 import ru.mystamps.web.service.dto.AddSeriesDto;
 import ru.mystamps.web.validation.jsr303.CatalogNumbers;
+import ru.mystamps.web.validation.jsr303.ImageFile;
 import ru.mystamps.web.validation.jsr303.NotEmptyFile;
 import ru.mystamps.web.validation.jsr303.NotEmptyFilename;
 import ru.mystamps.web.validation.jsr303.NotNullIfFirstField;
@@ -141,6 +142,7 @@ public class AddSeriesForm implements AddSeriesDto {
 	@NotNull
 	@NotEmptyFilename(groups = Image1Checks.class)
 	@NotEmptyFile(groups = Image2Checks.class)
+	@ImageFile(groups = Image3Checks.class)
 	private MultipartFile image;
 
 
@@ -198,7 +200,8 @@ public interface GibbonsCatalog2Checks {
 
 	@GroupSequence({
 		Image1Checks.class,
-		Image2Checks.class
+		Image2Checks.class,
+		Image3Checks.class
 	})
 	public interface ImageChecks {
 	}
@@ -209,4 +212,7 @@ public interface Image1Checks {
 	public interface Image2Checks {
 	}
 
+	public interface Image3Checks {
+	}
+	
 }

src/main/java/ru/mystamps/web/validation/jsr303/ImageFile.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2009-2015 Slava Semushin <slava.semushin@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package ru.mystamps.web.validation.jsr303;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.validation.Constraint;
+import javax.validation.Payload;
+
+import static java.lang.annotation.ElementType.ANNOTATION_TYPE;
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Target({ METHOD, FIELD, ANNOTATION_TYPE })
+@Retention(RUNTIME)
+@Constraint(validatedBy = ImageFileValidator.class)
+@Documented
+public @interface ImageFile {
+	String message() default "{ru.mystamps.web.validation.jsr303.ImageFile.message}";
+	Class<?>[] groups() default {};
+	Class<? extends Payload>[] payload() default {};
+}

src/main/java/ru/mystamps/web/validation/jsr303/ImageFileValidator.java

@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2009-2015 Slava Semushin <slava.semushin@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package ru.mystamps.web.validation.jsr303;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Arrays;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.web.multipart.MultipartFile;
+
+public class ImageFileValidator implements ConstraintValidator<ImageFile, MultipartFile> {
+	
+	private static final Logger LOG = LoggerFactory.getLogger(ImageFileValidator.class);
+	
+	// see https://en.wikipedia.org/wiki/JPEG#Syntax_and_structure
+	private static final byte[] JPEG_SIGNATURE = new byte[] {
+		(byte)0xFF, (byte)0xD8, (byte)0xFF, (byte)0xE0
+	};
+	
+	// see https://en.wikipedia.org/wiki/Portable_Network_Graphics#File_header
+	private static final byte[] PNG_FIRST_PART_SIGNATURE = new byte[] {
+		(byte)0x89, 0x50, 0x4E, 0x47
+	};
+	
+	private static final byte[] PNG_SECOND_PART_SIGNATURE = new byte[] {
+		0x0D, 0x0A, 0x1A, 0x0A
+	};
+	
+	private static boolean isJpeg(byte[] bytes) {
+		// TODO: also check that last 2 bytes are FF D9 (use RandomAccessFile)
+		return Arrays.equals(bytes, JPEG_SIGNATURE);
+	}
+	
+	private static boolean doesItLookLikePng(byte[] bytes) {
+		return Arrays.equals(bytes, PNG_FIRST_PART_SIGNATURE);
+	}
+	
+	private static boolean isItReallyPng(byte[] bytes) {
+		return Arrays.equals(bytes, PNG_SECOND_PART_SIGNATURE);
+	}
+	
+	private static byte[] readFourBytes(InputStream is) {
+		// CheckStyle: ignore MagicNumber for next 1 line
+		byte[] bytes = new byte[4];
+		try {
+			int read = is.read(bytes, 0, bytes.length);
+			if (read != bytes.length) {
+				return null;
+			}
+			
+			return bytes;
+			
+		} catch (IOException e) {
+			LOG.warn("Error during reading from file: {}", e.getMessage());
+			return null;
+		}
+	}
+	
+	private static String formatBytes(byte[] bytes) {
+		// CheckStyle: ignore MagicNumber for next 1 line
+		return String.format("%02x %02x %02x %02x", bytes[0], bytes[1], bytes[2], bytes[3]);
+	}
+	
+	@Override
+	public void initialize(ImageFile annotation) {
+		// Intentionally empty: nothing to initialize
+	}
+	
+	@Override
+	public boolean isValid(MultipartFile file, ConstraintValidatorContext ctx) {
+		
+		if (file == null) {
+			return true;
+		}
+		
+		if (file.isEmpty()) {
+			return false;
+		}
+		
+		try (InputStream stream = file.getInputStream()) {
+			
+			byte[] firstPart = readFourBytes(stream);
+			if (firstPart != null) {
+				LOG.warn("Failed to read 4 bytes from file");
+				return false;
+			}
+			
+			if (isJpeg(firstPart)) {
+				return true;
+			}
+			
+			if (doesItLookLikePng(firstPart)) {
+				byte[] secondPart = readFourBytes(stream);
+				if (isItReallyPng(secondPart)) {
+					return true;
+				}
+				
+				LOG.debug(
+					"Looks like file isn't a PNG image. First bytes: {} {}",
+					formatBytes(firstPart),
+					formatBytes(secondPart)
+				);
+				return false;
+			}
+			
+			LOG.debug("Looks like file isn't an image. First bytes: {}", formatBytes(firstPart));
+			return false;
+			
+		} catch (IOException e) {
+			LOG.warn("Error during file type validation: {}", e.getMessage());
+			return false;
+		}
+	}
+	
+}

src/main/resources/ru/mystamps/i18n/ValidationMessages.properties

@@ -20,6 +20,7 @@ ru.mystamps.web.validation.jsr303.UniqueMichelNumbers.message = Series with one
 ru.mystamps.web.validation.jsr303.UniqueScottNumbers.message = Series with one of provided scott code already exists
 ru.mystamps.web.validation.jsr303.UniqueYvertNumbers.message = Series with one of provided yvert code already exists
 ru.mystamps.web.validation.jsr303.UniqueGibbonsNumbers.message = Series with one of provided gibbons code already exists
+ru.mystamps.web.validation.jsr303.ImageFile.message = Cannot detect file type. Must be image in JPEG or PNG format
 
 value.too-short = Value is less than allowable minimum of {min} characters
 value.too-long = Value is greater than allowable maximum of {max} characters

src/main/resources/ru/mystamps/i18n/ValidationMessages_ru.properties

@@ -20,6 +20,7 @@ ru.mystamps.web.validation.jsr303.UniqueMichelNumbers.message = В базе уж
 ru.mystamps.web.validation.jsr303.UniqueScottNumbers.message = В базе уже есть серия с одним из указанных номеров по каталогу Scott
 ru.mystamps.web.validation.jsr303.UniqueYvertNumbers.message = В базе уже есть серия с одним из указанных номеров по каталогу Yvert
 ru.mystamps.web.validation.jsr303.UniqueGibbonsNumbers.message = В базе уже есть серия с одним из указанных номеров по каталогу Gibbons
+ru.mystamps.web.validation.jsr303.ImageFile.message = Не удалось определить тип файла. Должен быть изображением в формате JPEG или PNG
 
 value.too-short = Значение должно быть не менее {min} символов
 value.too-long = Значение должно быть не более {max} символов