From 7fe73cc60c3064d4f6d8eecca8df87454e47fc4a Mon Sep 17 00:00:00 2001
From: KatyaKomar <ekaterina.komar@duallab.com>
Date: Wed, 30 Aug 2023 15:33:44 +0300
Subject: [PATCH] Add limit max size of PDF

---
 README.md                                     | 11 +++-
 pom.xml                                       |  2 +-
 server.yml                                    |  1 +
 .../rest/app/VeraPdfRestApplication.java      | 15 ++++-
 .../rest/app/VeraPdfRestConfiguration.java    | 12 +++-
 .../verapdf/rest/resources/ApiResource.java   |  8 +--
 .../rest/resources/ValidateResource.java      | 64 +++++++++++--------
 7 files changed, 75 insertions(+), 38 deletions(-)

diff --git a/README.md b/README.md
index 499efc65..bdd4bcff 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ To run the veraPDF rest image from DockerHub:
 docker run -d -p 8080:8080 -p 8081:8081 verapdf/rest:latest
 ```
 
-Port 8080 serves both the veraPDF web interface and the veraPDF Rest API. Port 8081 serves the DropWizard diagnostics. 
+Port 8080 serves both the veraPDF web interface and the veraPDF Rest API. Port 8081 serves the DropWizard diagnostics.
 
 Building and running locally
 --------------------
@@ -199,4 +199,11 @@ curl -F "url=file:///home/folder/pdf.pdf" localhost:8080/api/validate/url/1b
 ```
 
 ### Configuration files
-Configuration parameters are located in `/opt/verapdf-rest/config` folder of the container file system. The details on the veraPDF parameters are available at https://docs.verapdf.org/cli/config/. Specific verapdf-rest server configuration parameters are located in server.yml.
+Configuration parameters are located in `/opt/verapdf-rest/config` folder of the container file system. The details on the veraPDF parameters are available at https://docs.verapdf.org/cli/config/. 
+Specific verapdf-rest server configuration parameters are located in server.yml.
+
+To set the maximum file size of PDF, change maxFileSize in server.yml file or run docker image:
+```
+docker run -d -p 8080:8080 -p 8081:8081 -e VERAPDF_MAX_FILE_SIZE=1 verapdf/rest:latest
+```
+where VERAPDF_MAX_FILE_SIZE is 1 MB. The default maximum file size is 100 MB.
diff --git a/pom.xml b/pom.xml
index 7869ac74..eb8ebec3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -44,7 +44,7 @@
   <properties>
     <dropwizard.version>2.1.7</dropwizard.version>
     <fasterxml.version>2.10.0</fasterxml.version>
-    <verapdf.validation.version>[1.24.0,1.25.0)</verapdf.validation.version>
+    <verapdf.validation.version>[1.25.0,1.26.0-RC)</verapdf.validation.version>
   </properties>
 
   <build>
diff --git a/server.yml b/server.yml
index 02c21de4..026ce155 100644
--- a/server.yml
+++ b/server.yml
@@ -26,3 +26,4 @@ logging:
           immediateFlush: true
   appenders:
     - type: console
+maxFileSize: ${VERAPDF_MAX_FILE_SIZE:-100}
diff --git a/src/main/java/org/verapdf/rest/app/VeraPdfRestApplication.java b/src/main/java/org/verapdf/rest/app/VeraPdfRestApplication.java
index 95a68f1e..0964aa83 100644
--- a/src/main/java/org/verapdf/rest/app/VeraPdfRestApplication.java
+++ b/src/main/java/org/verapdf/rest/app/VeraPdfRestApplication.java
@@ -1,5 +1,5 @@
 /**
- * 
+ *
  */
 package org.verapdf.rest.app;
 
@@ -10,9 +10,12 @@
 
 import io.federecio.dropwizard.swagger.SwaggerBundle;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
+import io.dropwizard.configuration.EnvironmentVariableSubstitutor;
+import io.dropwizard.configuration.SubstitutingSourceProvider;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
 import org.verapdf.rest.resources.ApiResource;
 import org.verapdf.rest.resources.HomePageResource;
+import org.verapdf.rest.resources.ValidateResource;
 import org.verapdf.rest.resources.ValidationExceptionMapper;
 
 import io.dropwizard.Application;
@@ -33,7 +36,7 @@ public class VeraPdfRestApplication extends Application<VeraPdfRestConfiguration
     /**
      * Main method for Jetty server application. Simply calls the run method
      * with command line args.
-     * 
+     *
      * @param args
      *             command line arguments as string array.
      * @throws Exception
@@ -62,7 +65,10 @@ protected SwaggerBundleConfiguration getSwaggerBundleConfiguration(
                 return config;
             }
         });
-
+        bootstrap.setConfigurationSourceProvider(
+                new SubstitutingSourceProvider(bootstrap.getConfigurationSourceProvider(),
+                                               new EnvironmentVariableSubstitutor(false)
+                ));
         bootstrap.addBundle(new AssetsBundle("/assets/css", "/css", null, "css")); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
         bootstrap.addBundle(new AssetsBundle("/assets/js", "/js", null, "js")); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
         bootstrap.addBundle(new AssetsBundle("/assets/img", "/img", null, "img")); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
@@ -74,6 +80,9 @@ public void run(VeraPdfRestConfiguration configuration,
             Environment environment) {
         // Create & register our REST resources
         final ValidationExceptionMapper vem = new ValidationExceptionMapper();
+        ValidateResource validateResource = ValidateResource.getValidateResource();
+        validateResource.setMaxFileSize(configuration.getMaxFileSize());
+        environment.jersey().register(validateResource);
         environment.jersey().register(new ApiResource());
         environment.jersey().register(new HomePageResource());
         environment.jersey().register(vem);
diff --git a/src/main/java/org/verapdf/rest/app/VeraPdfRestConfiguration.java b/src/main/java/org/verapdf/rest/app/VeraPdfRestConfiguration.java
index ea85b07b..f419a744 100644
--- a/src/main/java/org/verapdf/rest/app/VeraPdfRestConfiguration.java
+++ b/src/main/java/org/verapdf/rest/app/VeraPdfRestConfiguration.java
@@ -16,6 +16,17 @@
  */
 public class VeraPdfRestConfiguration extends Configuration {
     private int port;
+    private int maxFileSize;
+
+    @JsonProperty
+    public int getMaxFileSize() {
+        return maxFileSize;
+    }
+
+    @JsonProperty
+    public void setMaxFileSize(int maxFileSize) {
+        this.maxFileSize = maxFileSize;
+    }
 
     /**
      * @return the TCP/IP port used
@@ -33,5 +44,4 @@ public int getPort() {
     public void setPort(int port) {
         this.port = port;
     }
-
 }
diff --git a/src/main/java/org/verapdf/rest/resources/ApiResource.java b/src/main/java/org/verapdf/rest/resources/ApiResource.java
index 191d0c3f..167872b4 100644
--- a/src/main/java/org/verapdf/rest/resources/ApiResource.java
+++ b/src/main/java/org/verapdf/rest/resources/ApiResource.java
@@ -36,9 +36,9 @@
 		description = "Rest API for veraPDF",
 		version = "V0.2.0",
 		license = @License(name = "Apache 2.0", url = "https://www.apache.org/licenses/LICENSE-2.0")),
-                   servers = {@Server(url = "https://demo.verapdf.org", description = "default"), 
-						   @Server(url = "https://dev.verapdf-rest.duallab.com", description = "dev"), 
-						   @Server(url = "http://localhost:8080", description = "local")}
+                   servers = {@Server(url = "https://demo.verapdf.org", description = "default"),
+                              @Server(url = "https://dev.verapdf-rest.duallab.com", description = "dev"),
+                              @Server(url = "http://localhost:8080", description = "local")}
 )
 
 public final class ApiResource {
@@ -92,7 +92,7 @@ public static ProfileResource getProfileResource() {
 	 */
 	@Path("/validate")
 	public static ValidateResource getValidateResource() {
-		return new ValidateResource();
+		return ValidateResource.getValidateResource();
 	}
 
 	/**
diff --git a/src/main/java/org/verapdf/rest/resources/ValidateResource.java b/src/main/java/org/verapdf/rest/resources/ValidateResource.java
index 6cf2c7ce..e6a8f2fe 100644
--- a/src/main/java/org/verapdf/rest/resources/ValidateResource.java
+++ b/src/main/java/org/verapdf/rest/resources/ValidateResource.java
@@ -11,14 +11,15 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import org.apache.commons.codec.binary.Hex;
-import org.apache.commons.io.IOUtils;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 import org.glassfish.jersey.media.multipart.FormDataParam;
 import org.verapdf.ReleaseDetails;
 import org.verapdf.component.ComponentDetails;
 import org.verapdf.core.ModelParsingException;
 import org.verapdf.core.VeraPDFException;
+import org.verapdf.exceptions.VeraPDFParserException;
 import org.verapdf.gf.foundry.VeraGreenfieldFoundryProvider;
+import org.verapdf.io.SeekableInputStream;
 import org.verapdf.pdfa.Foundries;
 import org.verapdf.pdfa.PDFAParser;
 import org.verapdf.pdfa.PDFAValidator;
@@ -34,6 +35,7 @@
 import org.verapdf.processor.app.ConfigManagerImpl;
 import org.verapdf.processor.app.VeraAppConfig;
 import org.verapdf.processor.reports.BatchSummary;
+import org.verapdf.processor.reports.ItemDetails;
 import org.verapdf.processor.reports.Reports;
 import org.verapdf.processor.reports.ValidationReport;
 
@@ -48,8 +50,6 @@
 import java.security.DigestInputStream;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
-import java.util.List;
 
 /**
  * @author <a href="mailto:carl@openpreservation.org">Carl Wilson</a>
@@ -58,6 +58,15 @@ public class ValidateResource {
 	// java.security.digest name for the SHA-1 algorithm
 	private static final String SHA1_NAME = "SHA-1"; //$NON-NLS-1$
 	private static final String AUTODETECT_PROFILE = "auto";
+	private static int maxFileSize;
+	private static ValidateResource validateResource;
+
+	public static synchronized ValidateResource getValidateResource() {
+		if (validateResource == null) {
+			validateResource = new ValidateResource();
+		}
+		return validateResource;
+	}
 
 	private static ConfigManager configManager;
 
@@ -123,7 +132,7 @@ public static InputStream validateXml(@Parameter(description = "the String id of
 	                                      @Parameter(hidden = true) @FormDataParam("file") final FormDataContentDisposition contentDispositionHeader)
 			throws VeraPDFException {
 
-		return validate(uploadedInputStream, profileId, FormatOption.XML);
+		return validate(uploadedInputStream, contentDispositionHeader.getFileName(), profileId, FormatOption.XML);
 	}
 
 	@POST
@@ -147,7 +156,7 @@ public static InputStream validateXml(@Parameter(description = "the String id of
 	                                      @FormDataParam("url") String urlLink) throws VeraPDFException {
 		InputStream uploadedInputStream = getInputStreamByUrlLink(urlLink);
 
-		return validate(uploadedInputStream, profileId, FormatOption.XML);
+		return validate(uploadedInputStream, urlLink, profileId, FormatOption.XML);
 	}
 
 	/**
@@ -181,7 +190,7 @@ public static InputStream validateJson(@Parameter(description = "the String id o
 	                                       @Parameter(hidden = true) @FormDataParam("file") final FormDataContentDisposition contentDispositionHeader)
 			throws VeraPDFException {
 
-		return validate(uploadedInputStream, profileId, FormatOption.JSON);
+		return validate(uploadedInputStream, contentDispositionHeader.getFileName(), profileId, FormatOption.JSON);
 	}
 
 	@POST
@@ -195,7 +204,7 @@ public static InputStream validateJson(@Parameter(description = "the String id o
 	                                       @FormDataParam("url") String urlLink) throws VeraPDFException {
 		InputStream uploadedInputStream = getInputStreamByUrlLink(urlLink);
 
-		return validate(uploadedInputStream, profileId, FormatOption.JSON);
+		return validate(uploadedInputStream, urlLink, profileId, FormatOption.JSON);
 	}
 
 	/**
@@ -225,7 +234,7 @@ public static InputStream validateHtml(@PathParam("profileId") String profileId,
 	                                       @FormDataParam("file") InputStream uploadedInputStream,
 	                                       @Parameter(hidden = true) @FormDataParam("file") final FormDataContentDisposition contentDispositionHeader)
 			throws VeraPDFException {
-		return validate(uploadedInputStream, profileId, FormatOption.HTML);
+		return validate(uploadedInputStream, contentDispositionHeader.getFileName(), profileId, FormatOption.HTML);
 	}
 
 	@POST
@@ -239,7 +248,7 @@ public static InputStream validateHtml(@Parameter(description = "the String id o
 	                                       @FormDataParam("url") String urlLink) throws VeraPDFException {
 		InputStream uploadedInputStream = getInputStreamByUrlLink(urlLink);
 
-		return validate(uploadedInputStream, profileId, FormatOption.HTML);
+		return validate(uploadedInputStream, urlLink, profileId, FormatOption.HTML);
 	}
 
 	/**
@@ -280,29 +289,27 @@ public static ValidationReport validatePut(@Parameter(description = "the String
 
 	}
 
-	private static InputStream validate(InputStream uploadedInputStream, String profileId, FormatOption formatOption) throws VeraPDFException {
-		File file;
+	public static void setMaxFileSize(Integer maxFileSize) {
+		ValidateResource.maxFileSize = maxFileSize;
+	}
+
+	private static InputStream validate(InputStream uploadedInputStream, String fileName, String profileId, FormatOption formatOption) throws VeraPDFException {
+		SeekableInputStream seekableInputStream;
 		try {
-			file = File.createTempFile("cache", "");
-		} catch (IOException exception) {
-			throw new VeraPDFException("IOException creating a temp file", exception); //$NON-NLS-1$
-		}
-		try (OutputStream fos = new FileOutputStream(file);) {
-			IOUtils.copy(uploadedInputStream, fos);
-			uploadedInputStream.close();
-		} catch (IOException excep) {
-			throw new VeraPDFException("IOException creating a temp file", excep); //$NON-NLS-1$
+			seekableInputStream = SeekableInputStream.getSeekableStream(uploadedInputStream, 1000000 * maxFileSize);
+		} catch (VeraPDFParserException e) {
+			throw new VeraPDFException("Maximum allowed file size exceeded: " + maxFileSize + " MB");
+		} catch (IOException e) {
+			throw new VeraPDFException(e.getMessage());
 		}
-
 		PDFAFlavour flavour = PDFAFlavour.byFlavourId(profileId);
 		ValidatorConfig validatorConfig = configManager.getValidatorConfig();
 		validatorConfig.setFlavour(flavour);
 		ProcessorConfig config = createProcessorConfig(validatorConfig);
-
 		byte[] outputBytes;
 		try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
 			VeraAppConfig appConfig = configManager.getApplicationConfig();
-			processFile(file, config, outputStream, appConfig, formatOption);
+			processStream(seekableInputStream, fileName, config, outputStream, appConfig, formatOption);
 			outputBytes = outputStream.toByteArray();
 		} catch (IOException excep) {
 			throw new VeraPDFException("Some Java Exception while validating", excep); //$NON-NLS-1$
@@ -370,15 +377,18 @@ private static InputStream getInputStreamByUrlLink(String urlLink) throws VeraPD
 		}
 	}
 
-	private static BatchSummary processFile(File file, ProcessorConfig config, OutputStream stream,
-	                                        VeraAppConfig appConfig, FormatOption formatOption)
+	private static BatchSummary processStream(SeekableInputStream inputStream, String fileName, ProcessorConfig config, OutputStream stream,
+	                                          VeraAppConfig appConfig, FormatOption formatOption)
 			throws VeraPDFException, IOException {
-		List<File> files = Arrays.asList(file);
 		BatchSummary summary;
 		try (BatchProcessor processor = ProcessorFactory.fileBatchProcessor(config)) {
-			summary = processor.process(files,
+			summary = processor.process(ItemDetails.fromValues(fileName, inputStream.getStreamLength()), inputStream,
 			                            ProcessorFactory.getHandler(formatOption, appConfig.isVerbose(), stream,
 			                                                        config.getValidatorConfig().isRecordPasses(), appConfig.getWikiPath()));
+		} finally {
+			if (inputStream != null) {
+				inputStream.close();
+			}
 		}
 		return summary;
 	}