Skip to content

Commit

Permalink
probe content type of files using secure mechanism
Browse files Browse the repository at this point in the history 
current implementations are relying on file name/extension, which is prone to errors (.mp4, is it a video or a picture?) and spoofing. This change allows customers to use or opt into mechanisms which inspect the first bytes of a file's payload
  • Loading branch information
@HoneyryderChuck
HoneyryderChuck committed Jun 19, 2024
1 parent 71b33db commit 5820375
Show file tree
Hide file tree
Showing 12 changed files with 137 additions and 66 deletions.
16 changes: 10 additions & 6 deletions modules/openapi-generator/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1643,21 +1643,25 @@ public class ApiClient {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...les/client/echo_api/java/okhttp-gson/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1383,21 +1383,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...nt/others/java/okhttp-gson-streaming/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1406,21 +1406,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...tore/java/okhttp-gson-awsv4signature/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1491,21 +1491,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...e/java/okhttp-gson-dynamicOperations/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1484,21 +1484,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...ore/java/okhttp-gson-group-parameter/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1479,21 +1479,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...e/java/okhttp-gson-nullable-required/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1482,21 +1482,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...ore/java/okhttp-gson-parcelableModel/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1485,21 +1485,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...t/petstore/java/okhttp-gson-swagger1/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1479,21 +1479,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...t/petstore/java/okhttp-gson-swagger2/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1479,21 +1479,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
16 changes: 10 additions & 6 deletions ...les/client/petstore/java/okhttp-gson/src/main/java/org/openapitools/client/ApiClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1544,21 +1544,25 @@ public RequestBody buildRequestBodyMultipart(Map<String, Object> formParams) {
* @return The guessed Content-Type
*/
public String guessContentTypeFromFile(File file) {
String contentType = URLConnection.guessContentTypeFromName(file.getName());
if (contentType == null) {
try {
String contentType = Files.probeContentType(file.toPath());
if (contentType == null) {
return "application/octet-stream";
} else {
return contentType;
}
} catch(IOException error) {
return "application/octet-stream";
} else {
return contentType;
}
}

/**
* Add a Content-Disposition Header for the given key and file to the MultipartBody Builder.
*
* @param mpBuilder MultipartBody.Builder
* @param mpBuilder MultipartBody.Builder
* @param key The key of the Header element
* @param file The file to add to the Header
*/
*/
private void addPartToMultiPartBuilder(MultipartBody.Builder mpBuilder, String key, File file) {
Headers partHeaders = Headers.of("Content-Disposition", "form-data; name=\"" + key + "\"; filename=\"" + file.getName() + "\"");
MediaType mediaType = MediaType.parse(guessContentTypeFromFile(file));
Expand Down
27 changes: 27 additions & 0 deletions ...client/petstore/java/okhttp-gson/src/test/java/org/openapitools/client/ApiClientTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
import static org.junit.jupiter.api.Assertions.*;

import java.util.*;
import java.io.IOException;
import java.io.File;
import java.nio.file.Files;

import okhttp3.OkHttpClient;
import org.junit.jupiter.api.*;
Expand Down Expand Up @@ -81,6 +84,30 @@ public void testSelectHeaderContentType() {
assertNull(apiClient.selectHeaderContentType(contentTypes));
}

@Test
public void testguessContentTypeFromFile() throws IOException {
byte[] b = {
//ccurve.png
-119, 80, 78, 71, 13, 10, 26, 10, 0, 0, 0, 13, 73, 72, 68, 82,
0, 0, 0, 15, 0, 0, 0, 15, 8, 6, 0, 0, 0, 59, -42, -107,
74, 0, 0, 0, 64, 73, 68, 65, 84, 120, -38, 99, 96, -64, 14, -2,
99, -63, 68, 1, 100, -59, -1, -79, -120, 17, -44, -8, 31, -121, 28, 81,
26, -1, -29, 113, 13, 78, -51, 100, -125, -1, -108, 24, 64, 86, -24, -30,
11, 101, -6, -37, 76, -106, -97, 25, 104, 17, 96, -76, 77, 97, 20, -89,
109, -110, 114, 21, 0, -82, -127, 56, -56, 56, 76, -17, -42, 0, 0, 0,
0, 73, 69, 78, 68, -82, 66, 96, -126
};

File jpegFile = File.createTempFile("image", ".png");
jpegFile.deleteOnExit();
Files.write(jpegFile.toPath(), b);
assertEquals("image/png", apiClient.guessContentTypeFromFile(jpegFile));
// File otherFile = File.createTempFile("image", ".txt");
// otherFile.deleteOnExit();
// Files.write(otherFile.toPath(), b);
// assertEquals("image/png", apiClient.guessContentTypeFromFile(otherFile));
}

@Test
public void testGetAuthentications() {
Map<String, Authentication> auths = apiClient.getAuthentications();
Expand Down

0 comments on commit 5820375

Please sign in to comment.