Merge branch 'release/1.0.12'

* release/1.0.12:
  bumped version to 1.0.12
  extends error message with response-content-type
  fixes pdf-validation so that bom marker is detected and removed before validation
  fixes pdf-validation so that bom marker is detected and removed before validation
  fixes pdf-validation so that bom marker is detected and removed before validation
  fixes pdf-validation so that bom marker is detected and removed before validation
  Update spring boot dependency to patch vulnerable transitive dependencies
  Version bump
  Get classname for Logger dynamically to allow sub-classes to be respected in logging
  next dev version 1.0.12-SNAPSHOT
  next dev version 1.0.11-SNAPSHOT

Author: Sören Röttger

pom.xml

@@ -5,14 +5,14 @@
 
     <groupId>de.tk.opensource</groupId>
     <artifactId>3rdparty-privacy-proxy</artifactId>
-    <version>1.0.11</version>
+    <version>1.0.12</version>
     <packaging>jar</packaging>
     <name>3rd Party Privacy Proxy (Open Source)</name>
 
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.2.0.RELEASE</version>
+        <version>2.4.2</version>
     </parent>
 
     <description>

src/main/java/de/tk/opensource/privacyproxy/delivery/AssetDeliveryController.java

@@ -29,7 +29,7 @@
 @RequestMapping(value = UrlPattern.Contexts.DELIVERY)
 public abstract class AssetDeliveryController {
 
-	private static final Logger LOGGER = LoggerFactory.getLogger(AssetDeliveryController.class);
+	protected final Logger LOGGER = LoggerFactory.getLogger(getClass());
 
 	@Autowired
 	private ResourceLoader resourceLoader;

src/main/java/de/tk/opensource/privacyproxy/retrieval/AssetRetrievalService.java

@@ -22,7 +22,7 @@
  */
 public abstract class AssetRetrievalService implements InitializingBean {
 
-	private static final Logger LOGGER = LoggerFactory.getLogger(AssetRetrievalService.class);
+	protected final Logger LOGGER = LoggerFactory.getLogger(getClass());
 
 	/**
 	 * Configure where the files will be stored on the file system.

src/main/java/de/tk/opensource/privacyproxy/retrieval/AssetRetryRetrievalService.java

@@ -1,4 +1,4 @@
-/*--- (C) 1999-2019 Techniker Krankenkasse ---*/
+/*--- (C) 1999-2021 Techniker Krankenkasse ---*/
 
 package de.tk.opensource.privacyproxy.retrieval;
 
@@ -16,19 +16,22 @@
 import java.util.zip.ZipInputStream;
 
 import org.apache.commons.io.IOUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.retry.annotation.Backoff;
 import org.springframework.retry.annotation.Retryable;
 import org.springframework.stereotype.Service;
 
 import de.tk.opensource.privacyproxy.config.RetrievalEndpoint;
-import de.tk.opensource.privacyproxy.util.PDFCorruptedException;
 import de.tk.opensource.privacyproxy.util.PDFHelper;
 import de.tk.opensource.privacyproxy.util.ProxyHelper;
 
 @Service
 public class AssetRetryRetrievalService {
 
+	private final Logger LOGGER = LoggerFactory.getLogger(getClass());
+
 	/**
 	 * Configure where the files will be stored on the file system.
 	 */
@@ -46,9 +49,7 @@ public AssetRetryRetrievalService(ProxyHelper proxyHelper) {
 		backoff = @Backoff(delay = 3000),
 		maxAttempts = 4
 	)
-	void retrieveAsset(String provider, RetrievalEndpoint endpoint) throws IOException,
-		PDFCorruptedException
-	{
+	void retrieveAsset(String provider, RetrievalEndpoint endpoint) throws IOException {
 		final URL url = new URL(endpoint.getRemoteUrlWithCacheBuster());
 		final URLConnection connection = url.openConnection(proxyHelper.selectProxy(url));
 		connection.setRequestProperty("User-Agent", "3rd Party Privacy Proxy");
@@ -60,31 +61,7 @@ void retrieveAsset(String provider, RetrievalEndpoint endpoint) throws IOExcepti
 		} else {
 			try(final InputStream httpInputStream = connection.getInputStream()) {
 				if (endpoint.getFilename().endsWith(".pdf")) {
-
-					// copy stream to check for pdf validity, afterwards use another new stream to handle download
-					try(final ByteArrayOutputStream copiedStream = new ByteArrayOutputStream()) {
-						IOUtils.copy(httpInputStream, copiedStream);
-						if (!PDFHelper.isPdf(copiedStream.toByteArray())) {
-							throw new PDFCorruptedException(
-								String.format(
-									"The requested resource %s wasn't a valid pdf file. Maybe the endpoint has an error "
-									+ "and therefore the pdf content is the content of a maintenance site",
-									endpoint.getRemoteUrl()
-								)
-							);
-						} // Looks like we have a valid pdf. Download it...
-						try(
-							final ByteArrayInputStream inputStream =
-								new ByteArrayInputStream(copiedStream.toByteArray())
-						) {
-							retrieveFileByChannel(
-								provider,
-								endpoint,
-								inputStream,
-								originalFileSize
-							);
-						}
-					}
+					retrievePdf(provider, endpoint, httpInputStream, originalFileSize, connection);
 				} else {
 					retrieveFileByChannel(provider, endpoint, httpInputStream, originalFileSize);
 				}
@@ -131,6 +108,29 @@ void retrieveZip(
 		}
 	}
 
+	void retrievePdf(
+		String			  provider,
+		RetrievalEndpoint endpoint,
+		InputStream		  httpInputStream,
+		long			  originalFileSize,
+		URLConnection	  connection
+	) throws IOException
+	{
+		byte[] bytes = IOUtils.toByteArray(httpInputStream);
+		if (PDFHelper.isPdf(bytes)) {
+			ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
+			retrieveFileByChannel(provider, endpoint, byteArrayInputStream, originalFileSize);
+		} else {
+			LOGGER.error(
+				"The requested resource {} wasn't a valid pdf file. Content-type was {}."
+				+ " Maybe the endpoint has an error and therefore the pdf content is the content"
+				+ " of a maintenance site",
+				endpoint.getRemoteUrl(),
+				connection.getContentType()
+			);
+		}
+	}
+
 	void retrieveFileByChannel(
 		final String			provider,
 		final RetrievalEndpoint endpoint,

src/main/java/de/tk/opensource/privacyproxy/routing/RoutingHandler.java

@@ -47,17 +47,16 @@
  * use blacklisting. If the service delivers a response, this also has to be kind of whitelisted.
  * Cookies will be set by this service and thus will always be 1st party! You have to implement your
  * own RoutingHandler per provider. E.g. you could write a RoutingProvider to proxy traffic to an
- * external Matomo instance.
- * REQUIREMENT: You have to be able to configure the 3rd Party JS to talk to this service URL
- * instead of their server directly. If they don't allow this without patching their code by
- * yourself, look for another service provider. There is no technical requirement for not allowing
- * this.
+ * external Matomo instance. REQUIREMENT: You have to be able to configure the 3rd Party JS to talk
+ * to this service URL instead of their server directly. If they don't allow this without patching
+ * their code by yourself, look for another service provider. There is no technical requirement for
+ * not allowing this.
  */
 @Controller
 @RequestMapping(value = UrlPattern.Contexts.PROXY)
 public abstract class RoutingHandler {
 
-	private static final Logger LOGGER = LoggerFactory.getLogger(RoutingHandler.class);
+	protected final Logger LOGGER = LoggerFactory.getLogger(getClass());
 
 	private static final String[] DEFAULT_RETURN_VALUE = new String[0];
 
@@ -350,9 +349,10 @@ protected CookieNameMatchType getCookieNameMatchType() {
 	 * Transform the given query parameter before appending it to the request. The default
 	 * implementation applies percent-encoding to the value.
 	 *
-	 * @param name  query parameter name
-	 * @param value query parameter value
-	 * @return encoded parameter
+	 * @param   name   query parameter name
+	 * @param   value  query parameter value
+	 *
+	 * @return  encoded parameter
 	 */
 	protected String transformQueryParam(String name, String value) {
 		return RequestUtils.urlencode(value);

src/main/java/de/tk/opensource/privacyproxy/util/PDFCorruptedException.java

@@ -1,34 +1,83 @@
+/*--- (C) 1999-2019 Techniker Krankenkasse ---*/
+
 package de.tk.opensource.privacyproxy.util;
 
+import java.io.ByteArrayInputStream;
+import java.util.Arrays;
+
 public class PDFHelper {
 
-    /**
-     * Check if a byte array is an PDF file.
-     * PDF files starts with magic numbers '%PDF-' and ends with '%%EOF'.
-     * A File that does not contains PDF magic numbers is therefore not a PDF file.
-     * @param data file byte array
-     * @return true if byte array looks like a pdf, otherwise false
-     */
-    public static boolean isPdf(byte[] data) {
-        if (data != null && data.length > 4 &&
-                data[0] == 0x25 && // %
-                data[1] == 0x50 && // P
-                data[2] == 0x44 && // D
-                data[3] == 0x46 && // F
-                data[4] == 0x2D) { // -
-            int count = 0;
-            int offset = data.length - 8; // check last 8 bytes for %%EOF with optional white-space
-            while (offset < data.length) {
-                if (count == 0 && data[offset] == 0x25) count++; // %
-                if (count == 1 && data[offset] == 0x25) count++; // %
-                if (count == 2 && data[offset] == 0x45) count++; // E
-                if (count == 3 && data[offset] == 0x4F) count++; // O
-                if (count == 4 && data[offset] == 0x46) count++; // F
-                offset++;
-            }
-            return count == 5;
-        }
-
-        return false;
-    }
-}
+	private PDFHelper() {
+	}
+
+	private static final int[] UTF8_BYTE_ORDER_MARK = { 239, 187, 191 };
+
+	/**
+	 * Check if a byte array is an PDF file. PDF files starts with magic numbers '%PDF-' and ends
+	 * with '%%EOF'. A File that does not contains PDF magic numbers is therefore not a PDF file.
+	 *
+	 * @param   data  file byte array
+	 *
+	 * @return  true if byte array looks like a pdf, otherwise false
+	 */
+	public static boolean isPdf(byte[] data) {
+		data = removeBomMarker(data);
+		if (
+			data != null
+			&& data.length > 4
+			&& data[0] == 0x25 // %
+			&& data[1] == 0x50 // P
+			&& data[2] == 0x44 // D
+			&& data[3] == 0x46 // F
+			&& data[4] == 0x2D
+		) {
+			int count = 0;
+			int offset = data.length - 8; // check last 8 bytes for %%EOF with optional white-space
+			while (offset < data.length) {
+				if (count == 0 && data[offset] == 0x25) {
+					count++; // %
+				}
+				if (count == 1 && data[offset] == 0x25) {
+					count++; // %
+				}
+				if (count == 2 && data[offset] == 0x45) {
+					count++; // E
+				}
+				if (count == 3 && data[offset] == 0x4F) {
+					count++; // O
+				}
+				if (count == 4 && data[offset] == 0x46) {
+					count++; // F
+				}
+				offset++;
+			}
+			return count == 5;
+		}
+		return false;
+	}
+
+	/**
+	 * Check if a bom marker is at the beginning of the file. If there is a bom marker, the bom
+	 * marker is removed from the byte array.
+	 *
+	 * @param   data  file byte array
+	 *
+	 * @return  file byte array free of any bom markers
+	 */
+	private static byte[] removeBomMarker(byte[] data) {
+		ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(data);
+		int[] bomTestArr = new int[UTF8_BYTE_ORDER_MARK.length];
+
+		for (int index = 0; index < UTF8_BYTE_ORDER_MARK.length; ++index) {
+			bomTestArr[index] = byteArrayInputStream.read();
+		}
+		boolean isBomMarked = Arrays.equals(bomTestArr, UTF8_BYTE_ORDER_MARK);
+
+		if (isBomMarked) {
+			data = Arrays.copyOfRange(data, UTF8_BYTE_ORDER_MARK.length, data.length);
+		}
+		return data;
+	}
+}
+
+/*--- Formatiert nach TK Code Konventionen vom 05.03.2002 ---*/

src/main/java/de/tk/opensource/privacyproxy/util/PDFHelper.java

@@ -0,0 +1,39 @@
+/*--- (C) 1999-2019 Techniker Krankenkasse ---*/
+
+package de.tk.opensource.privacyproxy.util;
+
+import java.io.IOException;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Test;
+import org.springframework.core.io.ClassPathResource;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class PDFHelperTest {
+	@Test
+	public void testPdfWithBomMarker() throws IOException {
+		ClassPathResource classPathResource =
+			new ClassPathResource("testPdfs/pdfWithBomMarker.pdf");
+		byte[] bytes = IOUtils.toByteArray(classPathResource.getInputStream());
+		assertTrue(PDFHelper.isPdf(bytes));
+	}
+
+	@Test
+	public void testStandardPdf() throws IOException {
+		ClassPathResource classPathResource = new ClassPathResource("testPdfs/testPdf.pdf");
+		byte[] bytes = IOUtils.toByteArray(classPathResource.getInputStream());
+		assertTrue(PDFHelper.isPdf(bytes));
+	}
+
+	@Test
+	public void testCorruptPdf() throws IOException {
+		ClassPathResource classPathResource =
+			new ClassPathResource("testPdfs/shellBinaryAsPdf.pdf");
+		byte[] bytes = IOUtils.toByteArray(classPathResource.getInputStream());
+		assertFalse(PDFHelper.isPdf(bytes));
+	}
+}
+
+/*--- Formatiert nach TK Code Konventionen vom 05.03.2002 ---*/