Bump xstream from 1.4.18 to 1.4.19 in /server

Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.18 to 1.4.19.
- [Release notes](https://github.com/x-stream/xstream/releases)
- [Commits](https://github.com/x-stream/xstream/commits)

---
updated-dependencies:
- dependency-name: com.thoughtworks.xstream:xstream
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

server/pom.xml

@@ -160,7 +160,7 @@
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>
             <artifactId>xstream</artifactId>
-            <version>1.4.18</version>
+            <version>1.4.19</version>
         </dependency>
         <dependency>
             <groupId>com.googlecode.concurrentlinkedhashmap</groupId>

server/src/main/java/cn/keking/config/WebConfig.java

@@ -1,17 +1,11 @@
 package cn.keking.config;
 
-import cn.keking.web.filter.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
-import java.util.HashSet;
-import java.util.Set;
-
 /**
  * @author: chenjh
  * @since: 2019/4/16 20:04
@@ -29,63 +23,4 @@ public class WebConfig implements WebMvcConfigurer {
         LOGGER.info("Add resource locations: {}", filePath);
         registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/","classpath:/resources/","classpath:/static/","classpath:/public/","file:" + filePath);
     }
-
-    @Bean
-    public FilterRegistrationBean<ChinesePathFilter> getChinesePathFilter() {
-        ChinesePathFilter filter = new ChinesePathFilter();
-        FilterRegistrationBean<ChinesePathFilter> registrationBean = new FilterRegistrationBean<>();
-        registrationBean.setFilter(filter);
-        return registrationBean;
-    }
-
-    @Bean
-    public FilterRegistrationBean<TrustHostFilter> getTrustHostFilter() {
-        Set<String> filterUri = new HashSet<>();
-        filterUri.add("/onlinePreview");
-        filterUri.add("/picturesPreview");
-        TrustHostFilter filter = new TrustHostFilter();
-        FilterRegistrationBean<TrustHostFilter> registrationBean = new FilterRegistrationBean<>();
-        registrationBean.setFilter(filter);
-        registrationBean.setUrlPatterns(filterUri);
-        return registrationBean;
-    }
-
-    @Bean
-    public FilterRegistrationBean<TrustDirFilter> getTrustDirFilter() {
-        Set<String> filterUri = new HashSet<>();
-        filterUri.add("/onlinePreview");
-        filterUri.add("/picturesPreview");
-        filterUri.add("/getCorsFile");
-        TrustDirFilter filter = new TrustDirFilter();
-        FilterRegistrationBean<TrustDirFilter> registrationBean = new FilterRegistrationBean<>();
-        registrationBean.setFilter(filter);
-        registrationBean.setUrlPatterns(filterUri);
-        return registrationBean;
-    }
-
-    @Bean
-    public FilterRegistrationBean<BaseUrlFilter> getBaseUrlFilter() {
-        Set<String> filterUri = new HashSet<>();
-        filterUri.add("/index");
-        filterUri.add("/onlinePreview");
-        filterUri.add("/picturesPreview");
-        BaseUrlFilter filter = new BaseUrlFilter();
-        FilterRegistrationBean<BaseUrlFilter> registrationBean = new FilterRegistrationBean<>();
-        registrationBean.setFilter(filter);
-        registrationBean.setUrlPatterns(filterUri);
-        return registrationBean;
-    }
-
-    @Bean
-    public FilterRegistrationBean<AttributeSetFilter> getWatermarkConfigFilter() {
-        Set<String> filterUri = new HashSet<>();
-        filterUri.add("/index");
-        filterUri.add("/onlinePreview");
-        filterUri.add("/picturesPreview");
-        AttributeSetFilter filter = new AttributeSetFilter();
-        FilterRegistrationBean<AttributeSetFilter> registrationBean = new FilterRegistrationBean<>();
-        registrationBean.setFilter(filter);
-        registrationBean.setUrlPatterns(filterUri);
-        return registrationBean;
-    }
 }

server/src/main/java/cn/keking/utils/WebUtils.java

@@ -1,15 +1,11 @@
 package cn.keking.utils;
 
 import io.mola.galimatias.GalimatiasParseException;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.util.Base64Utils;
 
-import javax.servlet.ServletRequest;
 import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -21,7 +17,6 @@ public class WebUtils {
 
     /**
      * 获取标准的URL
-     *
      * @param urlStr url
      * @return 标准的URL
      */
@@ -120,22 +115,10 @@ public class WebUtils {
      * @return 文件名编码后的url
      */
     public static String encodeUrlFileName(String url) {
-        String encodedFileName;
-        String fullFileName = WebUtils.getUrlParameterReg(url, "fullfilename");
-        if (fullFileName != null && fullFileName.length() > 0) {
-            try {
-                encodedFileName = URLEncoder.encode(fullFileName, "UTF-8");
-            } catch (UnsupportedEncodingException e) {
-                return null;
-            }
-            String noQueryUrl = url.substring(0, url.indexOf("?"));
-            String parameterStr = url.substring(url.indexOf("?"));
-            parameterStr = parameterStr.replaceFirst(fullFileName, encodedFileName);
-            return noQueryUrl + parameterStr;
-        }
         String noQueryUrl = url.substring(0, url.contains("?") ? url.indexOf("?") : url.length());
         int fileNameStartIndex = noQueryUrl.lastIndexOf('/') + 1;
         int fileNameEndIndex = noQueryUrl.lastIndexOf('.');
+        String encodedFileName;
         try {
             encodedFileName = URLEncoder.encode(noQueryUrl.substring(fileNameStartIndex, fileNameEndIndex), "UTF-8");
         } catch (UnsupportedEncodingException e) {
@@ -143,46 +126,4 @@ public class WebUtils {
         }
         return url.substring(0, fileNameStartIndex) + encodedFileName + url.substring(fileNameEndIndex);
     }
-
-    /**
-     * 从 ServletRequest 获取预览的源 url , 已 base64 解码
-     *
-     * @param request 请求 request
-     * @return url
-     */
-    public static String getSourceUrl(ServletRequest request) {
-        String url = request.getParameter("url");
-        String urls = request.getParameter("urls");
-        String currentUrl = request.getParameter("currentUrl");
-        String urlPath = request.getParameter("urlPath");
-        if (StringUtils.isNotBlank(url)) {
-            return new String(Base64Utils.decodeFromString(url), StandardCharsets.UTF_8);
-        }
-        if (StringUtils.isNotBlank(currentUrl)) {
-            return new String(Base64Utils.decodeFromString(currentUrl), StandardCharsets.UTF_8);
-        }
-        if (StringUtils.isNotBlank(urlPath)) {
-            return new String(Base64Utils.decodeFromString(urlPath), StandardCharsets.UTF_8);
-        }
-        if (StringUtils.isNotBlank(urls)) {
-            urls = new String(Base64Utils.decodeFromString(urls), StandardCharsets.UTF_8);
-            String[] images = urls.split("\\|");
-            return images[0];
-        }
-        return null;
-    }
-
-    /**
-     * 获取 url 的 host
-     * @param urlStr url
-     * @return host
-     */
-    public static String getHost(String urlStr) {
-        try {
-            URL url = new URL(urlStr);
-            return url.getHost().toLowerCase();
-        } catch (MalformedURLException ignored) {
-        }
-        return null;
-    }
 }

server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java

@@ -1,16 +1,19 @@
 package cn.keking.web.controller;
 
+import cn.keking.config.ConfigConstants;
 import cn.keking.model.FileAttribute;
-import cn.keking.service.FileHandlerService;
 import cn.keking.service.FilePreview;
 import cn.keking.service.FilePreviewFactory;
+
 import cn.keking.service.cache.CacheService;
 import cn.keking.service.impl.OtherFilePreviewImpl;
+import cn.keking.service.FileHandlerService;
 import cn.keking.utils.WebUtils;
 import fr.opensagres.xdocreport.core.io.IOUtils;
 import io.mola.galimatias.GalimatiasParseException;
 import jodd.io.NetUtil;
 import org.apache.commons.codec.binary.Base64;
+import org.artofsolving.jodconverter.util.PlatformUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
@@ -22,12 +25,13 @@ import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
+import java.io.*;
-import java.io.UnsupportedEncodingException;
 import java.net.URL;
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 
 import static cn.keking.service.FilePreview.PICTURE_FILE_PREVIEW_PAGE;
 
@@ -61,6 +65,9 @@ public class OnlinePreviewController {
             String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "url");
             return otherFilePreview.notSupportedFile(model, errorMsg);
         }
+        if (!allowPreview(fileUrl)) {
+            return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + fileUrl);
+        }
         FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);
         model.addAttribute("file", fileAttribute);
         FilePreview filePreview = previewFactory.get(fileAttribute);
@@ -86,8 +93,14 @@ public class OnlinePreviewController {
         String currentUrl = req.getParameter("currentUrl");
         if (StringUtils.hasText(currentUrl)) {
             String decodedCurrentUrl = new String(Base64.decodeBase64(currentUrl));
+            if (!allowPreview(decodedCurrentUrl)) {
+                return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + decodedCurrentUrl);
+            }
             model.addAttribute("currentUrl", decodedCurrentUrl);
         } else {
+            if (!allowPreview(imgUrls.get(0))) {
+                return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + imgUrls.get(0));
+            }
             model.addAttribute("currentUrl", imgUrls.get(0));
         }
         return PICTURE_FILE_PREVIEW_PAGE;
@@ -105,6 +118,12 @@ public class OnlinePreviewController {
         logger.info("下载跨域pdf文件url：{}", urlPath);
         try {
             URL url = WebUtils.normalizedURL(urlPath);
+            if (!allowPreview(urlPath)) {
+                response.setHeader("content-type", "text/html;charset=utf-8");
+                response.getOutputStream().println("forbidden");
+                response.setStatus(401);
+                return;
+            }
             byte[] bytes = NetUtil.downloadBytes(url.toString());
             IOUtils.write(bytes, response.getOutputStream());
         } catch (IOException | GalimatiasParseException e) {
@@ -125,6 +144,24 @@ public class OnlinePreviewController {
         return "success";
     }
 
-
+    private boolean allowPreview(String urlPath) {
+        try {
+            URL url = WebUtils.normalizedURL(urlPath);
+            if ("file".equals(url.getProtocol().toLowerCase(Locale.ROOT))) {
+                String filePath = URLDecoder.decode(url.getPath(), StandardCharsets.UTF_8.name());
+                if (PlatformUtils.isWindows()) {
+                    filePath = filePath.replaceAll("/", "\\\\");
+                }
+                filePath = filePath.substring(1);
+                if (!filePath.startsWith(ConfigConstants.getFileDir()) && !filePath.startsWith(ConfigConstants.getLocalPreviewDir())) {
+                    return false;
+                }
+            }
+            return true;
+        } catch (IOException | GalimatiasParseException e) {
+            logger.error("解析URL异常，url：{}", urlPath, e);
+            return false;
+        }
+    }
 
 }

server/src/main/java/cn/keking/web/filter/FilterConfiguration.java

@@ -0,0 +1,65 @@
+package cn.keking.web.filter;
+
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.HashSet;
+import java.util.Set;
+
+
+/**
+ *
+ * @author yudian-it
+ * @date 2017/11/30
+ */
+@Configuration
+public class FilterConfiguration {
+
+
+    @Bean
+    public FilterRegistrationBean getChinesePathFilter() {
+        ChinesePathFilter filter = new ChinesePathFilter();
+        FilterRegistrationBean registrationBean = new FilterRegistrationBean();
+        registrationBean.setFilter(filter);
+        return registrationBean;
+    }
+
+    @Bean
+    public FilterRegistrationBean getTrustHostFilter() {
+        Set<String> filterUri = new HashSet<>();
+        filterUri.add("/onlinePreview");
+        filterUri.add("/picturesPreview");
+        TrustHostFilter filter = new TrustHostFilter();
+        FilterRegistrationBean registrationBean = new FilterRegistrationBean();
+        registrationBean.setFilter(filter);
+        registrationBean.setUrlPatterns(filterUri);
+        return registrationBean;
+    }
+
+    @Bean
+    public FilterRegistrationBean getBaseUrlFilter() {
+        Set<String> filterUri = new HashSet<>();
+        filterUri.add("/index");
+        filterUri.add("/onlinePreview");
+        filterUri.add("/picturesPreview");
+        BaseUrlFilter filter = new BaseUrlFilter();
+        FilterRegistrationBean registrationBean = new FilterRegistrationBean();
+        registrationBean.setFilter(filter);
+        registrationBean.setUrlPatterns(filterUri);
+        return registrationBean;
+    }
+
+    @Bean
+    public FilterRegistrationBean getWatermarkConfigFilter() {
+        Set<String> filterUri = new HashSet<>();
+        filterUri.add("/index");
+        filterUri.add("/onlinePreview");
+        filterUri.add("/picturesPreview");
+        AttributeSetFilter filter = new AttributeSetFilter();
+        FilterRegistrationBean registrationBean = new FilterRegistrationBean();
+        registrationBean.setFilter(filter);
+        registrationBean.setUrlPatterns(filterUri);
+        return registrationBean;
+    }
+}

server/src/main/java/cn/keking/web/filter/TrustDirFilter.java

@@ -1,73 +0,0 @@
-package cn.keking.web.filter;
-
-import cn.keking.config.ConfigConstants;
-import cn.keking.utils.WebUtils;
-import io.mola.galimatias.GalimatiasParseException;
-import org.artofsolving.jodconverter.util.PlatformUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.util.FileCopyUtils;
-
-import javax.servlet.*;
-import java.io.IOException;
-import java.net.URL;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.util.Locale;
-
-/**
- * @author : kl (http://kailing.pub)
- * @since : 2022-05-25 17:45
- */
-public class TrustDirFilter implements Filter {
-
-    private String notTrustDirView;
-    private final Logger logger = LoggerFactory.getLogger(TrustDirFilter.class);
-
-
-    @Override
-    public void init(FilterConfig filterConfig) {
-        ClassPathResource classPathResource = new ClassPathResource("web/notTrustDir.html");
-        try {
-            classPathResource.getInputStream();
-            byte[] bytes = FileCopyUtils.copyToByteArray(classPathResource.getInputStream());
-            this.notTrustDirView = new String(bytes, StandardCharsets.UTF_8);
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-    }
-
-    @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        String url = WebUtils.getSourceUrl(request);
-        if (!allowPreview(url)) {
-            response.getWriter().write(this.notTrustDirView);
-            response.getWriter().close();
-        } else {
-            chain.doFilter(request, response);
-        }
-    }
-
-    @Override
-    public void destroy() {
-
-    }
-
-    private boolean allowPreview(String urlPath) {
-        try {
-            URL url = WebUtils.normalizedURL(urlPath);
-            if ("file".equals(url.getProtocol().toLowerCase(Locale.ROOT))) {
-                String filePath = URLDecoder.decode(url.getPath(), StandardCharsets.UTF_8.name());
-                if (PlatformUtils.isWindows()) {
-                    filePath = filePath.replaceAll("/", "\\\\");
-                }
-                return filePath.startsWith(ConfigConstants.getFileDir()) || filePath.startsWith(ConfigConstants.getLocalPreviewDir());
-            }
-            return true;
-        } catch (IOException | GalimatiasParseException e) {
-            logger.error("解析URL异常，url：{}", urlPath, e);
-            return false;
-        }
-    }
-}

server/src/main/java/cn/keking/web/filter/TrustHostFilter.java

@@ -1,7 +1,6 @@
 package cn.keking.web.filter;
 
 import cn.keking.config.ConfigConstants;
-import cn.keking.utils.WebUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.util.Base64Utils;
@@ -35,8 +34,11 @@ public class TrustHostFilter implements Filter {
 
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        String url = WebUtils.getSourceUrl(request);
+        String url = getSourceUrl(request);
-        String host = WebUtils.getHost(url);
+        if(url != null){
+            url = new String(Base64Utils.decodeFromString(url), StandardCharsets.UTF_8);
+        }
+        String host = getHost(url);
         if (host != null &&!ConfigConstants.getTrustHostSet().isEmpty() && !ConfigConstants.getTrustHostSet().contains(host)) {
             String html = this.notTrustHost.replace("${current_host}", host);
             response.getWriter().write(html);
@@ -50,4 +52,28 @@ public class TrustHostFilter implements Filter {
 
     }
 
+    private String getSourceUrl(ServletRequest request) {
+        String url = request.getParameter("url");
+        String currentUrl = request.getParameter("currentUrl");
+        String urlPath = request.getParameter("urlPath");
+        if (StringUtils.isNotBlank(url)) {
+            return url;
+        }
+        if (StringUtils.isNotBlank(currentUrl)) {
+            return currentUrl;
+        }
+        if (StringUtils.isNotBlank(urlPath)) {
+            return urlPath;
+        }
+        return null;
+    }
+
+    private String getHost(String urlStr) {
+        try {
+            URL url = new URL(urlStr);
+            return url.getHost().toLowerCase();
+        } catch (MalformedURLException ignored) {
+        }
+        return null;
+    }
 }

server/src/main/resources/static/pptx/ppt.js

@@ -154,7 +154,6 @@ function resetContent() {
 	var thumbnailWidth = $('.thumbnail:first').width();
 	var thumbnailHeight = thumbnailWidth * ratio;
 	$('.thumbnail').height(thumbnailHeight);
-	$('.thumbnail>img').width(thumbnailWidth).height(thumbnailHeight);
 
 	var slideImgContainerWidth = $('.slide-img-container:first').width();
 	var slideImgContainerHeight = slideImgContainerWidth * ratio;

server/src/main/resources/web/notTrustDir.html

@@ -1,41 +0,0 @@
-<!DOCTYPE html>
-
-<html lang="en">
-<head>
-    <meta charset="utf-8" />
-    <style type="text/css">
-        body {
-            margin: 0 auto;
-            width: 900px;
-            background-color: #CCB;
-        }
-        .container {
-            width: 700px;
-            height: 700px;
-            margin: 0 auto;
-        }
-        img {
-            width: auto;
-            height: auto;
-            max-width: 100%;
-            max-height: 100%;
-            padding-bottom: 36px;
-        }
-        p {
-            display: block;
-            font-size: 20px;
-            color: blue;
-        }
-    </style>
-</head>
-<body>
-<div class="container">
-    <img src="images/sorry.jpg" />
-    <p>
-        预览源文件来自未授信的目录 ,请停止访问 <br>
-        有任何疑问，请加&nbsp;<a href="https://jq.qq.com/?_wv=1027&k=5c0UAtu">官方QQ群：613025121</a>&nbsp;咨询
-    </p>
-</div>
-</body>
-
-</html>

server/src/main/resources/web/ppt.ftl

@@ -2,7 +2,7 @@
 {
 	"code": 1,
 	"name": "PPT预览",
-	"totalSize": ${imgurls?size},
+	"totalSize": 0,
 	"curPage": 1,
 	"totalPage": 1,
 	"pageSize": 10,

server/src/test/java/cn/keking/utils/WebUtilsTests.java

@@ -21,12 +21,4 @@ public class WebUtilsTests {
         String out = "https://file.keking.cn/demo/%23hello%26world.txt?param0=0&param1=1";
         assert WebUtils.encodeUrlFileName(in).equals(out);
     }
-
-    @Test
-    void encodeUrlFullFileNameTestWithParams() {
-        // 测试对URL中使用fullfilename参数的文件名部分进行UTF-8编码
-        String in = "https://file.keking.cn/demo/download?param0=0&fullfilename=hello#0.txt";
-        String out = "https://file.keking.cn/demo/download?param0=0&fullfilename=hello%230.txt";
-        assert WebUtils.encodeUrlFileName(in).equals(out);
-    }
 }