plantuml-server/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java

/* ========================================================================
 * PlantUML : a free UML diagram generator
 * ========================================================================
 *
 * Project Info:  https://plantuml.com
 *
 * This file is part of PlantUML.
 *
 * PlantUML is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * PlantUML distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
 * License for more details.
 *
 * You should have received a copy of the GNU General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
 * USA.
 */
package net.sourceforge.plantuml.servlet;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.Certificate;
import java.util.List;

import javax.imageio.IIOException;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLPeerUnverifiedException;

import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import net.sourceforge.plantuml.BlockUml;
import net.sourceforge.plantuml.FileFormat;
import net.sourceforge.plantuml.OptionFlags;
import net.sourceforge.plantuml.SourceStringReader;
import net.sourceforge.plantuml.core.Diagram;
import net.sourceforge.plantuml.core.UmlSource;

/**
 * Proxy servlet of the webapp.
 * This servlet retrieves the diagram source of a web resource (web html page)
 * and renders it.
 */
@SuppressWarnings("SERIAL")
public class ProxyServlet extends HttpServlet {

    static {
        OptionFlags.ALLOW_INCLUDE = false;
        if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {
            OptionFlags.ALLOW_INCLUDE = true;
        }
    }

    public static boolean forbiddenURL(String full) {
        if (full == null) {
            return true;
        }
        if (full.startsWith("https://") == false && full.startsWith("http://") == false) {
            return true;
        }
        if (full.matches("^https?://[-#.0-9:\\[\\]+]+/.*")) {
            return true;
        }
        if (full.matches("^https?://[^.]+/.*")) {
            return true;
        }
        if (full.matches("^https?://[^.]+$")) {
            return true;
        }
        return false;
    }


    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

        final String fmt = request.getParameter("fmt");
        final String source = request.getParameter("src");
        final String index = request.getParameter("idx");
        if (forbiddenURL(source)) {
            response.setStatus(400);
            return;
        }

        final URL srcUrl;
        // Check if the src URL is valid
        try {
            srcUrl = new URL(source);
        } catch (MalformedURLException mue) {
            mue.printStackTrace();
            response.setStatus(400);
            return;
        }

        // generate the response
        String diagmarkup = getSource(srcUrl);
        SourceStringReader reader = new SourceStringReader(diagmarkup);
        int n = index == null ? 0 : Integer.parseInt(index);
        List<BlockUml> blocks = reader.getBlocks();
        BlockUml block = blocks.get(n);
        Diagram diagram = block.getDiagram();
        UmlSource umlSrc = diagram.getSource();
        String uml = umlSrc.getPlainString();
        //System.out.println("uml=" + uml);

        // generate the response
        DiagramResponse dr = new DiagramResponse(response, getOutputFormat(fmt), request);
        try {
            // special handling for the MAP since it's not using "#sendDiagram()" like the other types
            if ("map".equals(fmt)) {
                dr.sendMap(uml, 0);
            } else {
                dr.sendDiagram(uml, 0);
            }
        } catch (IIOException e) {
            // Browser has closed the connection, so the HTTP OutputStream is closed
            // Silently catch the exception to avoid annoying log
        }
        dr = null;
    }

    /**
     * Get textual uml diagram source from URL.
     *
     * @param url source URL
     *
     * @return textual uml diagram source
     *
     * @throws IOException if an input or output exception occurred
     */
    private String getSource(final URL url) throws IOException {
        String line;
        BufferedReader rd;
        StringBuilder sb;
        try {
            HttpURLConnection con = getConnection(url);
            rd = new BufferedReader(new InputStreamReader(con.getInputStream()));
            sb = new StringBuilder();

            while ((line = rd.readLine()) != null) {
                sb.append(line + '\n');
            }
            rd.close();
            return sb.toString();
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            rd = null;
        }
        return "";
    }

    /**
     * Get {@link FileFormat} instance from string.
     *
     * @param format file format name
     *
     * @return corresponding file format instance,
     *         if {@code format} is null or unknown the default {@link FileFormat#PNG} will be returned
     */
    private FileFormat getOutputFormat(String format) {
        if (format == null) {
            return FileFormat.PNG;
        }
        if (format.equals("svg")) {
            return FileFormat.SVG;
        }
        if (format.equals("eps")) {
            return FileFormat.EPS;
        }
        if (format.equals("epstext")) {
            return FileFormat.EPS_TEXT;
        }
        if (format.equals("txt")) {
            return FileFormat.UTXT;
        }
        if (format.equals("map")) {
            return FileFormat.UTXT;
        }

        return FileFormat.PNG;
    }

    /**
     * Get open http connection from URL.
     *
     * @param url URL to open connection
     *
     * @return open http connection
     *
     * @throws IOException if an input or output exception occurred
     */
    private HttpURLConnection getConnection(final URL url) throws IOException {
        final HttpURLConnection con = (HttpURLConnection) url.openConnection();
        //if (con instanceof HttpsURLConnection) {
        //    printHttpsCert((HttpsURLConnection) con);
        //}
        con.setRequestMethod("GET");
        String token = System.getenv("HTTP_AUTHORIZATION");
        if (token != null) {
            con.setRequestProperty("Authorization", token);
        }
        con.setReadTimeout(10000); // 10 seconds
        con.connect();
        return con;
    }

    /**
     * Debug method used to dump the certificate info.
     *
     * @param con the https connection
     */
    @SuppressWarnings("unused")
    private void printHttpsCert(final HttpsURLConnection con) {
        if (con != null) {
            try {
                System.out.println("Response Code : " + con.getResponseCode());
                System.out.println("Cipher Suite : " + con.getCipherSuite());
                System.out.println("\n");

                Certificate[] certs = con.getServerCertificates();
                for (Certificate cert : certs) {
                    System.out.println("Cert Type : " + cert.getType());
                    System.out.println("Cert Hash Code : " + cert.hashCode());
                    System.out.println("Cert Public Key Algorithm : " + cert.getPublicKey().getAlgorithm());
                    System.out.println("Cert Public Key Format : " + cert.getPublicKey().getFormat());
                    System.out.println("\n");
                }

            } catch (SSLPeerUnverifiedException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
}
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`/* ========================================================================`
			`* PlantUML : a free UML diagram generator`
			`* ========================================================================`
			`*`
update and fix checkstyle and javadoc plugins 2021-10-11 14:40:15 +00:00			`* Project Info: https://plantuml.com`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`*`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`* This file is part of PlantUML.`
			`*`
			`* PlantUML is free software; you can redistribute it and/or modify it`
			`* under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* PlantUML distributed in the hope that it will be useful, but`
			`* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY`
			`* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public`
			`* License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public`
			`* License along with this library; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,`
			`* USA.`
			`*/`
			`package net.sourceforge.plantuml.servlet;`

[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`import java.io.BufferedReader;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`import java.io.IOException;`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`import java.io.InputStreamReader;`
			`import java.net.HttpURLConnection;`
			`import java.net.MalformedURLException;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`import java.net.URL;`
update jetty and tomcat to latest version 2021-10-15 13:11:55 +00:00			`import java.security.cert.Certificate;`
			`import java.util.List;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00
update jetty and tomcat to latest version 2021-10-15 13:11:55 +00:00			`import javax.imageio.IIOException;`
			`import javax.net.ssl.HttpsURLConnection;`
			`import javax.net.ssl.SSLPeerUnverifiedException;`

			`import jakarta.servlet.ServletException;`
			`import jakarta.servlet.http.HttpServlet;`
			`import jakarta.servlet.http.HttpServletRequest;`
			`import jakarta.servlet.http.HttpServletResponse;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`import net.sourceforge.plantuml.BlockUml;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`import net.sourceforge.plantuml.FileFormat;`
Fix security #122 2019-09-26 17:13:07 +00:00			`import net.sourceforge.plantuml.OptionFlags;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`import net.sourceforge.plantuml.SourceStringReader;`
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`import net.sourceforge.plantuml.core.Diagram;`
			`import net.sourceforge.plantuml.core.UmlSource;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00
update and fix checkstyle and javadoc plugins 2021-10-11 14:40:15 +00:00			`/**`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`* Proxy servlet of the webapp.`
			`* This servlet retrieves the diagram source of a web resource (web html page)`
			`* and renders it.`
			`*/`
update and fix checkstyle and javadoc plugins 2021-10-11 14:40:15 +00:00			`@SuppressWarnings("SERIAL")`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`public class ProxyServlet extends HttpServlet {`

Fix security #122 2019-09-26 17:08:48 +00:00			`static {`
			`OptionFlags.ALLOW_INCLUDE = false;`
			`if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {`
			`OptionFlags.ALLOW_INCLUDE = true;`
			`}`
			`}`

Improve proxy management 2022-12-06 17:42:54 +00:00			`public static boolean forbiddenURL(String full) {`
Improve tests 2022-12-06 17:52:30 +00:00			`if (full == null) {`
			`return true;`
			`}`
Improve proxy management 2022-12-06 17:42:54 +00:00			`if (full.startsWith("https://") == false && full.startsWith("http://") == false) {`
			`return true;`
			`}`
			`if (full.matches("^https?://[-#.0-9:\\[\\]+]+/.*")) {`
			`return true;`
			`}`
			`if (full.matches("^https?://[^.]+/.*")) {`
			`return true;`
			`}`
			`if (full.matches("^https?://[^.]+$")) {`
			`return true;`
			`}`
			`return false;`
			`}`


Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`@Override`
[TASK] Full coding style clean up 2013-07-10 15:07:24 +00:00			`public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00
Parameter 'format' changed to 'fmt' and System.out deletion 2015-12-10 15:43:56 +00:00			`final String fmt = request.getParameter("fmt");`
[FEATURE] Proxy redesign, first step 2013-11-25 21:35:58 +00:00			`final String source = request.getParameter("src");`
			`final String index = request.getParameter("idx");`
Improve proxy management 2022-12-06 17:42:54 +00:00			`if (forbiddenURL(source)) {`
			`response.setStatus(400);`
			`return;`
			`}`

[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`final URL srcUrl;`
			`// Check if the src URL is valid`
			`try {`
			`srcUrl = new URL(source);`
			`} catch (MalformedURLException mue) {`
			`mue.printStackTrace();`
update junit test classes and there dependencies 2021-10-11 10:38:37 +00:00			`response.setStatus(400);`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`return;`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`}`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00
[FEATURE] Proxy redesign, first step 2013-11-25 21:35:58 +00:00			`// generate the response`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`String diagmarkup = getSource(srcUrl);`
			`SourceStringReader reader = new SourceStringReader(diagmarkup);`
[FEATURE] Proxy redesign, first step 2013-11-25 21:35:58 +00:00			`int n = index == null ? 0 : Integer.parseInt(index);`
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`List<BlockUml> blocks = reader.getBlocks();`
			`BlockUml block = blocks.get(n);`
			`Diagram diagram = block.getDiagram();`
			`UmlSource umlSrc = diagram.getSource();`
			`String uml = umlSrc.getPlainString();`
Parameter 'format' changed to 'fmt' and System.out deletion 2015-12-10 15:43:56 +00:00			`//System.out.println("uml=" + uml);`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`// generate the response`
version 2017.09 2017-04-05 19:57:35 +00:00			`DiagramResponse dr = new DiagramResponse(response, getOutputFormat(fmt), request);`
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`try {`
The ProxyServlet should handle maps too. 2022-06-29 20:32:51 +00:00			`// special handling for the MAP since it's not using "#sendDiagram()" like the other types`
			`if ("map".equals(fmt)) {`
			`dr.sendMap(uml, 0);`
			`} else {`
			`dr.sendDiagram(uml, 0);`
			`}`
update and fix checkstyle and javadoc plugins 2021-10-11 14:40:15 +00:00			`} catch (IIOException e) {`
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`// Browser has closed the connection, so the HTTP OutputStream is closed`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`// Silently catch the exception to avoid annoying log`
[FEATURE] Proxy returns the correct Content-type 2013-12-02 11:45:11 +00:00			`}`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`dr = null;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`}`

update + restructure pom and add missing javadoc 2021-10-12 15:51:35 +00:00			`/**`
			`* Get textual uml diagram source from URL.`
			`*`
			`* @param url source URL`
			`*`
			`* @return textual uml diagram source`
			`*`
			`* @throws IOException if an input or output exception occurred`
			`*/`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`private String getSource(final URL url) throws IOException {`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`String line;`
			`BufferedReader rd;`
			`StringBuilder sb;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`try {`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`HttpURLConnection con = getConnection(url);`
			`rd = new BufferedReader(new InputStreamReader(con.getInputStream()));`
			`sb = new StringBuilder();`

			`while ((line = rd.readLine()) != null) {`
			`sb.append(line + '\n');`
			`}`
			`rd.close();`
			`return sb.toString();`
			`} catch (IOException e) {`
			`e.printStackTrace();`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`} finally {`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`rd = null;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`}`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`return "";`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`}`

update + restructure pom and add missing javadoc 2021-10-12 15:51:35 +00:00			`/**`
			`* Get {@link FileFormat} instance from string.`
			`*`
			`* @param format file format name`
			`*`
			`* @return corresponding file format instance,`
			`* if {@code format} is null or unknown the default {@link FileFormat#PNG} will be returned`
			`*/`
Fix format management 2015-12-10 18:38:37 +00:00			`private FileFormat getOutputFormat(String format) {`
[TASK] Full coding style clean up 2013-07-10 15:07:24 +00:00			`if (format == null) {`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`return FileFormat.PNG;`
			`}`
			`if (format.equals("svg")) {`
			`return FileFormat.SVG;`
			`}`
Add eps format to proxy 2017-06-28 10:59:27 +00:00			`if (format.equals("eps")) {`
			`return FileFormat.EPS;`
			`}`
			`if (format.equals("epstext")) {`
			`return FileFormat.EPS_TEXT;`
			`}`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`if (format.equals("txt")) {`
[FEATURE] Proxy redesign, first step 2013-11-25 21:35:58 +00:00			`return FileFormat.UTXT;`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`}`
The ProxyServlet should handle maps too. 2022-06-29 20:32:51 +00:00			`if (format.equals("map")) {`
			`return FileFormat.UTXT;`
			`}`

Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`return FileFormat.PNG;`
[TASK] Full coding style clean up 2013-07-10 15:07:24 +00:00			`}`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00
update + restructure pom and add missing javadoc 2021-10-12 15:51:35 +00:00			`/**`
			`* Get open http connection from URL.`
			`*`
			`* @param url URL to open connection`
			`*`
			`* @return open http connection`
			`*`
			`* @throws IOException if an input or output exception occurred`
			`*/`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`private HttpURLConnection getConnection(final URL url) throws IOException {`
Added support for Authorization header 2019-05-17 14:22:28 +00:00			`final HttpURLConnection con = (HttpURLConnection) url.openConnection();`
update and fix checkstyle and javadoc plugins 2021-10-11 14:40:15 +00:00			`//if (con instanceof HttpsURLConnection) {`
			`// printHttpsCert((HttpsURLConnection) con);`
			`//}`
Added support for Authorization header 2019-05-17 14:22:28 +00:00			`con.setRequestMethod("GET");`
			`String token = System.getenv("HTTP_AUTHORIZATION");`
			`if (token != null) {`
			`con.setRequestProperty("Authorization", token);`
			`}`
			`con.setReadTimeout(10000); // 10 seconds`
			`con.connect();`
			`return con;`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`}`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`/**`
update + restructure pom and add missing javadoc 2021-10-12 15:51:35 +00:00			`* Debug method used to dump the certificate info.`
			`*`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`* @param con the https connection`
			`*/`
[TASK] Checkstyle report and mvn site configuration 2014-02-06 17:28:06 +00:00			`@SuppressWarnings("unused")`
			`private void printHttpsCert(final HttpsURLConnection con) {`
[FEATURE] First HTTPS support 2013-11-29 14:58:23 +00:00			`if (con != null) {`
			`try {`
			`System.out.println("Response Code : " + con.getResponseCode());`
			`System.out.println("Cipher Suite : " + con.getCipherSuite());`
			`System.out.println("\n");`

			`Certificate[] certs = con.getServerCertificates();`
			`for (Certificate cert : certs) {`
			`System.out.println("Cert Type : " + cert.getType());`
			`System.out.println("Cert Hash Code : " + cert.hashCode());`
			`System.out.println("Cert Public Key Algorithm : " + cert.getPublicKey().getAlgorithm());`
			`System.out.println("Cert Public Key Format : " + cert.getPublicKey().getFormat());`
			`System.out.println("\n");`
			`}`

			`} catch (SSLPeerUnverifiedException e) {`
			`e.printStackTrace();`
			`} catch (IOException e) {`
			`e.printStackTrace();`
			`}`
			`}`
			`}`
Refactoring of the Proxy service 2013-07-09 13:44:36 +00:00			`}`