18.1.3 release

ChangeLog

@@ -1,3 +1,11 @@
+26-MAY-2022: 18.1.3
+
+- Adds spacing dialog for parallels layout
+- Adds allowlist for layout constructor names
+- Adds JSON values for childLayout styles
+- Adds size check for fetched connection data
+- Allows custom protocols in links
+
 23-MAY-2022: 18.1.2
 
 - Limits export proxy URL

VERSION

@@ -1 +1 @@
-18.1.2
+18.1.3

src/main/java/com/mxgraph/online/ConverterServlet.java

@@ -35,6 +35,7 @@ public class ConverterServlet  extends HttpServlet
 			.getLogger(HttpServlet.class.getName());
 
 	private static final int MAX_DIM = 5000;
+	private static final int MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB
 	private static final double EMF_10thMM2PXL = 26.458;
 	private static final String API_KEY_FILE_PATH = "/WEB-INF/cloud_convert_api_key"; // Not migrated to new pattern, since will not be used on diagrams.net
 	private static final String CONVERT_SERVICE_URL = "https://api.cloudconvert.com/convert";
@@ -177,11 +178,19 @@ else if ("outputformat".equals(fieldName))
 				}
 
 				addParameterHeader("file", fileName, postRequest);
-
+				int total = 0;
+
 				while(bytesRead != -1) 
 				{
 					postRequest.write(data, 0, bytesRead);
 					bytesRead = fileContent.read(data);
+					total += bytesRead;
+
+					if (total > MAX_FILE_SIZE)
+					{
+						postRequest.close();
+						throw new Exception("File size exceeds the maximum allowed size of " + MAX_FILE_SIZE + " bytes.");
+					}
 				}
 
 				postRequest.writeBytes(CRLF + TWO_HYPHENS + BOUNDARY + TWO_HYPHENS + CRLF);

src/main/java/com/mxgraph/online/EmbedServlet2.java

@@ -69,6 +69,11 @@ public class EmbedServlet2 extends HttpServlet
 	 */
 	protected static String lastModified = null;
 
+	/**
+	 * Max fetch size
+	 */
+	protected static int MAX_FETCH_SIZE = 50 * 1024 * 1024; // 50 MB
+
 	/**
 	 * 
 	 */
@@ -392,6 +397,7 @@ public String createEmbedJavaScript(HttpServletRequest request)
 		if (urls != null)
 		{
 			HashSet<String> completed = new HashSet<String>();
+			int sizeLimit = MAX_FETCH_SIZE;
 
 			for (int i = 0; i < urls.length; i++)
 			{
@@ -405,7 +411,15 @@ public String createEmbedJavaScript(HttpServletRequest request)
 						URLConnection connection = url.openConnection();
 						((HttpURLConnection) connection).setInstanceFollowRedirects(false);
 						ByteArrayOutputStream stream = new ByteArrayOutputStream();
-						Utils.copy(connection.getInputStream(), stream);
+						String contentLength = connection.getHeaderField("Content-Length");
+
+						// If content length is available, use it to enforce maximum size
+						if (contentLength != null && Long.parseLong(contentLength) > sizeLimit)
+						{
+							break;
+						}
+
+						sizeLimit -= Utils.copyRestricted(connection.getInputStream(), stream, sizeLimit);
 						setCachedUrls += "GraphViewer.cachedUrls['"
 								+ StringEscapeUtils.escapeEcmaScript(urls[i])
 								+ "'] = decodeURIComponent('"

src/main/java/com/mxgraph/online/ExportProxyServlet.java

@@ -21,7 +21,8 @@
 public class ExportProxyServlet extends HttpServlet
 {
 	private final String[] supportedServices = {"EXPORT_URL", "PLANTUML_URL", "VSD_CONVERT_URL", "EMF_CONVERT_URL"};
-
+	private static int MAX_FETCH_SIZE = 50 * 1024 * 1024; // 50 MB
+
 	private void doRequest(String method, HttpServletRequest request,
 			HttpServletResponse response) throws ServletException, IOException
 	{
@@ -102,7 +103,7 @@ else if (!exportUrl.endsWith("/")) // There are other non-trivial cases, admins
 				con.setDoOutput(true);
 
 				OutputStream params = con.getOutputStream();
-				Utils.copy(request.getInputStream(), params);
+				Utils.copyRestricted(request.getInputStream(), params, MAX_FETCH_SIZE);
 				params.flush();
 				params.close();
 	        }

src/main/java/com/mxgraph/online/ProxyServlet.java

@@ -45,6 +45,11 @@ public class ProxyServlet extends HttpServlet
 	 */
 	private static final int TIMEOUT = 29000;
 
+	/**
+	 * Max fetch size
+	 */
+	protected static int MAX_FETCH_SIZE = 50 * 1024 * 1024; // 50 MB
+
 	/**
 	 * A resuable empty byte array instance.
 	 */
@@ -136,6 +141,14 @@ protected void doGet(HttpServletRequest request,
 					{
 						response.setStatus(status);
 
+						String contentLength = connection.getHeaderField("Content-Length");
+
+						// If content length is available, use it to enforce maximum size
+						if (contentLength != null && Long.parseLong(contentLength) > MAX_FETCH_SIZE)
+						{
+							throw new UnsupportedContentException();
+						}
+
 						// Copies input stream to output stream
 						InputStream is = connection.getInputStream();
 						byte[] head = (contentAlwaysAllowed(urlParam)) ? emptyBytes
@@ -208,6 +221,8 @@ protected void copyResponse(InputStream is, OutputStream out, byte[] head,
 	{
 		if (base64)
 		{
+			int total = 0;
+
 			try (BufferedInputStream in = new BufferedInputStream(is,
 					BUFFER_SIZE))
 			{
@@ -217,7 +232,14 @@ protected void copyResponse(InputStream is, OutputStream out, byte[] head,
 				os.write(head, 0, head.length);
 
 			    for (int len = is.read(buffer); len != -1; len = is.read(buffer))
-			    { 
+			    {
+					total += len;
+
+					if (total > MAX_FETCH_SIZE)
+					{
+						throw new IOException("Size limit exceeded");
+					}
+
 			        os.write(buffer, 0, len);
 			    }
 
@@ -227,7 +249,7 @@ protected void copyResponse(InputStream is, OutputStream out, byte[] head,
 		else
 		{
 			out.write(head);
-			Utils.copy(is, out);
+			Utils.copyRestricted(is, out, MAX_FETCH_SIZE);
 		}
 	}
 

src/main/java/com/mxgraph/online/Utils.java

@@ -145,6 +145,18 @@ public static void copy(InputStream in, OutputStream out) throws IOException
 		copy(in, out, IO_BUFFER_SIZE);
 	}
 
+	/**
+	 * Copies the input stream to the output stream using the default buffer size
+	 * @param in the input stream
+	 * @param out the output stream
+	 * @param sizeLimit the maximum number of bytes to copy
+	 * @throws IOException
+	 */
+	public static int copyRestricted(InputStream in, OutputStream out, int sizeLimit) throws IOException
+	{
+		return copy(in, out, IO_BUFFER_SIZE, sizeLimit);
+	}
+
 	/**
 	 * Copies the input stream to the output stream using the specified buffer size
 	 * @param in the input stream
@@ -154,14 +166,37 @@ public static void copy(InputStream in, OutputStream out) throws IOException
 	 */
 	public static void copy(InputStream in, OutputStream out, int bufferSize)
 			throws IOException
+	{
+		copy(in, out, bufferSize, 0);
+	}
+
+	/**
+	 * Copies the input stream to the output stream using the specified buffer size
+	 * @param in the input stream
+	 * @param out the output stream
+	 * @param bufferSize the buffer size to use when copying
+	 * @param sizeLimit the maximum number of bytes to copy
+	 * @throws IOException
+	 */
+	public static int copy(InputStream in, OutputStream out, int bufferSize, int sizeLimit)
+			throws IOException
 	{
 		byte[] b = new byte[bufferSize];
-		int read;
+		int read, total = 0;
 
 		while ((read = in.read(b)) != -1)
 		{
+			total += read;
+
+			if (sizeLimit > 0 && total > sizeLimit)
+			{
+				throw new IOException("Size limit exceeded");
+			}
+
 			out.write(b, 0, read);
 		}
+
+		return total;
 	}
 
 	/**