From fcce38a82a0df39cddb95b1e987669cdc5073f2a Mon Sep 17 00:00:00 2001
From: Nils Schwabe
Date: Mon, 14 Jul 2014 14:06:22 +0200
Subject: Add security checks for image upload

Fix typo
---
 .../java/org/openslx/imagemaster/db/DbImage.java   |  2 +-
 .../java/org/openslx/imagemaster/db/DbUser.java    |  7 ++++---
 .../serverconnection/ImageProcessor.java           | 22 +++++++++++++++++++---
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/openslx/imagemaster/db/DbImage.java b/src/main/java/org/openslx/imagemaster/db/DbImage.java
index 904442d..38ca714 100644
--- a/src/main/java/org/openslx/imagemaster/db/DbImage.java
+++ b/src/main/java/org/openslx/imagemaster/db/DbImage.java
@@ -122,7 +122,7 @@ public class DbImage
 						"INSERT INTO images (UUID, image_version, image_name, image_path, image_createTime, image_updateTime, image_owner, content_operatingSystem, status_isValid, status_isDeleted, image_shortDescription, image_longDescription, timestamp, fileSize, token, missingBlocks, serverSessionId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
 						imageData.uuid, imageData.imageVersion, imageData.imageName, filepath,
 						sdf.format( createTime ), sdf.format( updateTime ), imageData.imageOwner,
-						imageData.conentOperatingSystem, imageData.statusIsValid,
+						imageData.contentOperatingSystem, imageData.statusIsValid,
 						imageData.statusIsDeleted, imageData.imageShortDescription,
 						imageData.imageLongDescription, sdf.format( timestamp ), imageData.fileSize,
 						token, missingBlocksList, serverSessionId );
diff --git a/src/main/java/org/openslx/imagemaster/db/DbUser.java b/src/main/java/org/openslx/imagemaster/db/DbUser.java
index ffc9d1a..7f83176 100644
--- a/src/main/java/org/openslx/imagemaster/db/DbUser.java
+++ b/src/main/java/org/openslx/imagemaster/db/DbUser.java
@@ -74,12 +74,13 @@ public class DbUser extends User
 	/**
 	 * Checks if a user with id (userid@organization) exists
 	 * @param id
-	 * @return whether ther user exists
+	 * @return Whether the user exists
 	 */
 	public static boolean exists( String id )
 	{
-		String user = id.split( "@" )[0];
-		String organization = id.split( "@" )[1];
+		String[] parts = id.split( "@" );
+		String user = parts[0];
+		String organization = parts[1];
 		
 		DbUser dbUser = MySQL.findUniqueOrNull( DbUser.class,
 				"SELECT user.userid, user.username, user.password, user.organization, user.firstname, user.lastname, user.email, satellite.address FROM user"
diff --git a/src/main/java/org/openslx/imagemaster/serverconnection/ImageProcessor.java b/src/main/java/org/openslx/imagemaster/serverconnection/ImageProcessor.java
index b86c8b5..f40aece 100644
--- a/src/main/java/org/openslx/imagemaster/serverconnection/ImageProcessor.java
+++ b/src/main/java/org/openslx/imagemaster/serverconnection/ImageProcessor.java
@@ -14,8 +14,11 @@ import org.apache.log4j.Logger;
 import org.openslx.imagemaster.Globals;
 import org.openslx.imagemaster.crcchecker.CRCFile;
 import org.openslx.imagemaster.db.DbImage;
+import org.openslx.imagemaster.db.DbUser;
 import org.openslx.imagemaster.thrift.iface.DownloadInfos;
 import org.openslx.imagemaster.thrift.iface.ImageData;
+import org.openslx.imagemaster.thrift.iface.ImageDataError;
+import org.openslx.imagemaster.thrift.iface.ImageDataException;
 import org.openslx.imagemaster.thrift.iface.UploadError;
 import org.openslx.imagemaster.thrift.iface.UploadException;
 import org.openslx.imagemaster.thrift.iface.UploadInfos;
@@ -60,12 +63,25 @@ public class ImageProcessor
 	 * @param serverSessionId The uploading server
 	 * @param imageData The data of the image
 	 * @return
-	 * @throws UploadException If some error occured during the process
+	 * @throws UploadException If some error occurred during the process
 	 */
-	public static UploadInfos getUploadInfos( String serverSessionId, ImageData imageData, List<Integer> crcSums ) throws UploadException
+	public static UploadInfos getUploadInfos( String serverSessionId, ImageData imageData, List<Integer> crcSums )
+			throws UploadException, ImageDataException
 	{
 		// check image data
-		// TODO: do security checks
+		if ( DbImage.exists( imageData.uuid ) ) {
+			throw new ImageDataException( ImageDataError.INVALID_DATA, "UUID already existing.");
+		} else if ( imageData.imageName == null || imageData.imageName.isEmpty() ) {
+			throw new ImageDataException( ImageDataError.INVALID_DATA, "Image name not set.");
+		} else if ( imageData.imageName == null || imageData.imageOwner.isEmpty() ) {
+			throw new ImageDataException( ImageDataError.INVALID_DATA, "Image owner not set.");
+		} else if ( imageData.contentOperatingSystem == null || imageData.contentOperatingSystem.isEmpty() ) {
+			throw new ImageDataException( ImageDataError.INVALID_DATA, "Content operating system not set.");
+		} else if ( imageData.fileSize <= 0 ) {
+			throw new ImageDataException( ImageDataError.INVALID_DATA, "File size is too small.");
+		} else if ( !DbUser.exists( imageData.imageOwner ) ) {
+			throw new ImageDataException( ImageDataError.INVALID_DATA,  "User is not known." );
+		}
 
 		String uuid = imageData.uuid;
 		String token;
-- 
cgit v1.2.3-55-g7522