add upload file only picture

Author: JoyChou93

java-sec-code.iml

@@ -12,7 +12,7 @@
       </configuration>
     </facet>
   </component>
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_6">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />
     <content url="file://$MODULE_DIR$">
@@ -164,5 +164,6 @@
     <orderEntry type="library" name="Maven: com.thoughtworks.xstream:xstream:1.4.9" level="project" />
     <orderEntry type="library" name="Maven: xmlpull:xmlpull:1.1.3.1" level="project" />
     <orderEntry type="library" name="Maven: xpp3:xpp3_min:1.1.4c" level="project" />
+    <orderEntry type="library" name="Maven: com.fasterxml.uuid:java-uuid-generator:3.1.4" level="project" />
   </component>
 </module>

pom.xml

@@ -129,6 +129,13 @@
             <version>1.4.0.RELEASE</version>
         </dependency>
 
+        <!-- 生成uuid -->
+        <dependency>
+            <groupId>com.fasterxml.uuid</groupId>
+            <artifactId>java-uuid-generator</artifactId>
+            <version>3.1.4</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/controller/FileUpload.java

@@ -1,5 +1,6 @@
 package org.joychou.controller;
 
+import com.fasterxml.uuid.Generators;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -8,10 +9,16 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
+import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.UUID;
+
+import static org.joychou.utils.Security.isImage;
+
 
 /**
  * @author: JoyChou ([email protected])
@@ -31,6 +38,11 @@ public String index() {
         return "upload"; // return upload.html page
     }
 
+    @GetMapping("/pic")
+    public String uploadPic() {
+        return "uploadPic"; // return uploadPic.html page
+    }
+
     @PostMapping("/upload")
     public String singleFileUpload(@RequestParam("file") MultipartFile file,
                                    RedirectAttributes redirectAttributes) {
@@ -52,15 +64,94 @@ public String singleFileUpload(@RequestParam("file") MultipartFile file,
         } catch (IOException e) {
             redirectAttributes.addFlashAttribute("message", "upload failed");
             e.printStackTrace();
-            return "uploadStatus";
+            return "redirect:/file/status";
         }
 
         return "redirect:/file/status";
     }
 
+    // only upload picture
+    @PostMapping("/upload/picture")
+    public String uploadPicture(@RequestParam("file") MultipartFile multifile,
+                                   RedirectAttributes redirectAttributes) throws Exception{
+        if (multifile.isEmpty()) {
+            // 赋值给uploadStatus.html里的动态参数message
+            redirectAttributes.addFlashAttribute("message", "Please select a file to upload");
+            return "redirect:/file/status";
+        }
+
+        // get suffix
+        String fileName = multifile.getOriginalFilename();
+        String Suffix = fileName.substring(fileName.lastIndexOf("."));
+
+        File excelFile = convert(multifile);
+
+        // security check
+        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};
+        Boolean suffixFlag = false;
+        for (String white_suffix : picSuffixList) {
+            if (Suffix.toLowerCase().equals(white_suffix)) {
+                suffixFlag = true;
+                break;
+            }
+        }
+        if ( !suffixFlag || !isImage(excelFile) ) {
+            redirectAttributes.addFlashAttribute("message", "illeagl picture");
+            deleteFile(excelFile);
+            return "redirect:/file/status";
+        }
+
+
+        try {
+            // Get the file and save it somewhere
+            byte[] bytes = multifile.getBytes();
+            Path path = Paths.get(UPLOADED_FOLDER + multifile.getOriginalFilename());
+            Files.write(path, bytes);
+
+            redirectAttributes.addFlashAttribute("message",
+                    "You successfully uploaded '" + UPLOADED_FOLDER + multifile.getOriginalFilename() + "'");
+
+        } catch (IOException e) {
+            redirectAttributes.addFlashAttribute("message", "upload failed");
+            e.printStackTrace();
+            deleteFile(excelFile);
+            return "redirect:/file/status";
+        }
+
+        deleteFile(excelFile);
+        return "redirect:/file/status";
+    }
+
     @GetMapping("/status")
     public String uploadStatus() {
         return "uploadStatus";
     }
 
+    private void deleteFile(File... files) {
+        for (File file : files) {
+            if (file.exists()) {
+                file.delete();
+            }
+        }
+    }
+
+    /**
+     * @desc 不建议使用transferTo，因为原始的MultipartFile会被覆盖
+     * @url https://stackoverflow.com/questions/24339990/how-to-convert-a-multipart-file-to-file
+     * @param multiFile
+     * @return
+     * @throws Exception
+     */
+    private File convert(MultipartFile multiFile) throws Exception {
+        String fileName = multiFile.getOriginalFilename();
+        String suffix = fileName.substring(fileName.lastIndexOf("."));
+        UUID uuid = Generators.timeBasedGenerator().generate();
+
+        File convFile = new File(UPLOADED_FOLDER + uuid + suffix);
+        convFile.createNewFile();
+        FileOutputStream fos = new FileOutputStream(convFile);
+        fos.write(multiFile.getBytes());
+        fos.close();
+        return convFile;
+    }
 }

src/main/java/org/joychou/utils/Security.java

@@ -2,6 +2,10 @@
 
 import com.google.common.net.InternetDomainName;
 
+import javax.imageio.ImageIO;
+import java.awt.image.BufferedImage;
+import java.io.File;
+import java.io.IOException;
 import java.net.URI;
 import java.net.URL;
 
@@ -10,8 +14,8 @@ public class Security {
      * @param url
      * @return 安全url返回true，危险url返回false
      */
-    public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
-        try{
+    public static Boolean checkSafeUrl(String url, String[] urlwhitelist) {
+        try {
             URL u = new URL(url);
             URI uri = new URI(url);
             // 判断是否是http(s)协议
@@ -25,18 +29,31 @@ public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
             // 如果非顶级域名后缀会报错
             String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
-            for (String whiteurl: urlwhitelist){
+            for (String whiteurl : urlwhitelist) {
                 if (rootDomain.equals(whiteurl)) {
                     return true;
                 }
             }
 
             System.out.println("Url is not safe.");
             return false;
-        }catch (Exception e) {
+        } catch (Exception e) {
             System.out.println(e.toString());
             e.printStackTrace();
             return false;
         }
     }
-}
+
+
+    /**
+     * @param file
+     * @desc 判断文件内容是否是图片
+     */
+    public static boolean isImage(File file) throws IOException {
+        BufferedImage bi = ImageIO.read(file);
+        if (bi == null) {
+            return false;
+        }
+        return true;
+    }
+}

src/main/resources/templates/uploadPic.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<body>
+
+<h3>file upload only picture</h3>
+
+<form method="POST" action="upload/picture" enctype="multipart/form-data">
+    <input type="file" name="file" /><br/><br/>
+    <input type="submit" value="Submit" />
+</form>
+
+</body>
+</html>