[OpenJDK 2D-Dev] <AWT Dev> Safe to take Base64 encoded image from client?

[Sergey Bylokhov]

Hi,
The question is related to Java2D API and 2d-dev (cc).

----- timo.vander.schuit at globalrelay.net wrote:

> Hi,
> 
> The front-end generates a base64 encoded image of a graph and send it
> to the backend to use it with pdfbox to create a pdf file.
> Are there any security concerns with in particular this line
> "BufferedImage bufImg = ImageIO.read(new
> ByteArrayInputStream(imageByte));
> “?
> 
> @POST
> @Consumes(MediaType.APPLICATION_JSON)
> @Path("/pdfbox")
> public void getChartsPdf(String base64ImageData) throws IOException{
> 
>     PDDocument doc = null;
>     byte[] imageByte;
>     String base64Image = base64ImageData.split(",")[1];
>     BASE64Decoder decoder = new BASE64Decoder();
>     imageByte = decoder.decodeBuffer(base64Image);
>     try {
>         doc = new PDDocument();
>         PDPage page = new PDPage();
>         doc.addPage(page);
>         PDFont font = PDType1Font.HELVETICA_BOLD;
>         PDPageContentStream contentStream = new
> PDPageContentStream(doc, page);
> 
>         BufferedImage bufImg = ImageIO.read(new
> ByteArrayInputStream(imageByte));
>         PDXObjectImage ximage = new PDPixelMap(doc, bufImg);
> 
>         contentStream.beginText();
>         contentStream.setFont( font, 12 );
>         contentStream.moveTextPositionByAmount( 50, 700 );
>         contentStream.drawString("Timeline");
>         contentStream.endText();
>         contentStream.drawXObject(ximage, 20, 500,
> ximage.getWidth()/2, ximage.getHeight()/2);
>         contentStream.close();
>         doc.save("testCharts.pdf");
>     } catch (Exception e) {
>         System.err.println(e.getMessage());
>     } finally {
>         if (doc != null) {
>             doc.close();
>         }
>     }
> }
> 
> Regards,
> 
> Timo