标签:提防 XSS document return contains PDF null COSName
请求文件弹窗XSS注入
解决方法
<dependency>
<groupId>org.apache.pdfbox</groupId>
<artifactId>pdfbox</artifactId>
<version>3.0.3</version>
</dependency>
try {
PDDocument pdDocument = Loader.loadPDF(file.getBytes());
if (containsJavaScript(pdDocument)) {
return ReturnUtils.Error("禁止上传含有JS脚本的PDF文件", null, null);
}
} catch (Exception e) {
log.error("e:", e);
return ReturnUtils.Error("PDF检测文件脚本失败", null, null);
}
private static boolean containsJavaScript(PDDocument document) {
if (document.getDocument().getTrailer().toString().contains("COSName{JS}")
|| document.getDocument().getTrailer().toString().contains("COSName{JavaScript}")) {
return true;
}
PDPageTree pages = document.getPages();
return IntStream.range(0, pages.getCount()).allMatch(i -> {
String pageContent = pages.get(i).getCOSObject().toString();
return pageContent.contains("COSName{JavaScript}") || pageContent.contains("COSName{JS}");
});
}
标签:提防,
XSS,
document,
return,
contains,
PDF,
null,
COSName
From: https://www.cnblogs.com/Smile-yun-1996/p/18382793