<AWT Dev> Safe to take Base64 encoded image from client?

[Timo Vander Schuit]

Hi,

The front-end generates a base64 encoded image of a graph and send it to the backend to use it with pdfbox to create a pdf file.
Are there any security concerns with in particular this line "BufferedImage bufImg = ImageIO.read(new ByteArrayInputStream(imageByte));
“?

@POST
@Consumes(MediaType.APPLICATION_JSON)
@Path("/pdfbox")
public void getChartsPdf(String base64ImageData) throws IOException{

    PDDocument doc = null;
    byte[] imageByte;
    String base64Image = base64ImageData.split(",")[1];
    BASE64Decoder decoder = new BASE64Decoder();
    imageByte = decoder.decodeBuffer(base64Image);
    try {
        doc = new PDDocument();
        PDPage page = new PDPage();
        doc.addPage(page);
        PDFont font = PDType1Font.HELVETICA_BOLD;
        PDPageContentStream contentStream = new PDPageContentStream(doc, page);

        BufferedImage bufImg = ImageIO.read(new ByteArrayInputStream(imageByte));
        PDXObjectImage ximage = new PDPixelMap(doc, bufImg);

        contentStream.beginText();
        contentStream.setFont( font, 12 );
        contentStream.moveTextPositionByAmount( 50, 700 );
        contentStream.drawString("Timeline");
        contentStream.endText();
        contentStream.drawXObject(ximage, 20, 500, ximage.getWidth()/2, ximage.getHeight()/2);
        contentStream.close();
        doc.save("testCharts.pdf");
    } catch (Exception e) {
        System.err.println(e.getMessage());
    } finally {
        if (doc != null) {
            doc.close();
        }
    }
}

Regards,

Timo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/awt-dev/attachments/20170529/9f39f102/attachment.html>