This is a part of an online Codename One course published around 2017 see it all for free at https://debugagent.com/series/cn1

1. App Maker Server - Part II

2. REST API
✦The API will consist of multiple stages to construct the
restaurant in the cloud
✦We will upload the various pieces of the restaurant
(images, dishes etc.) then request a build
© Codename One 2017 all rights reserved

3. API calls
✦/updateRestaurant - will either update or create a
restaurant entry in the database, returns the secret
✦/dish - allows updating/adding/deleting a dish
✦/files - fetches a result file from the build
✦/doBuildApp - actually builds the app based on the
values set in the previous calls
✦We will probably need a few additional API’s later
including one for categories
© Codename One 2017 all rights reserved

4. @Controller
@RequestMapping("/updateRestaurant")
public class UpdateRestaurantService {
@Autowired
private RestaurantRepository restRepository;
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody String update(@RequestParam(name="logo", required = false) MultipartFile logo,
@RequestParam(name="icon", required = false) MultipartFile icon,
@RequestParam(name="backgroundImage", required = false) MultipartFile backgroundImage,
@RequestParam(name="secret", required = true) String secret) throws IOException {
RestaurantEntity e = restRepository.findBySecret(secret);
if(icon != null) {
e.setIcon(icon.getBytes());
}
if(logo != null) {
e.setLogo(logo.getBytes());
}
if(backgroundImage != null) {
e.setBackgroundImage(backgroundImage.getBytes());
}
restRepository.save(e);
return e.getSecret();
}
UpdateRestaurantService

5. @RequestMapping(method = RequestMethod.PUT)
public @ResponseBody String update(@RequestBody(required = true) RestaurantRequest data) throws
IOException {
RestaurantEntity e;
if(data.getId() == null) {
e = new RestaurantEntity();
} else {
e = restRepository.findBySecret(data.getId());
}
e.setMerchantId(data.getMerchantId());
e.setPrivateKey(data.getPrivateKey());
e.setPublicKey(data.getPublicKey());
e.setName(data.getName());
e.setRestaurantEmail(data.getRestaurantEmail());
e.setTagline(data.getTagline());
restRepository.save(e);
String sec = e.getSecret();
return sec;
}
}
UpdateRestaurantService

6. @Controller
@RequestMapping("/doBuildApp")
public class BuildAppService {
@Autowired
private BuildAppAsync buildAsync;
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody String build(
@RequestParam(name = "secret", required = true) String secret,
@RequestParam(name = "pushKey", required = false) String pushKey,
@RequestParam(name = "targetType", required = true) String targetType) {
buildAsync.buildApp(secret, pushKey, targetType);
return "OK";
}
}
BuildAppService

7. @SpringBootApplication
@EnableAsync
public class AppBackendServerApplication extends AsyncConfigurerSupport {
public static void main(String[] args) {
SpringApplication.run(AppBackendServerApplication.class, args);
}
@Override
public Executor getAsyncExecutor() {
ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
executor.setCorePoolSize(1);
executor.setMaxPoolSize(1);
executor.setQueueCapacity(10);
executor.setThreadNamePrefix("AppBuilder-");
executor.initialize();
return executor;
}
}
AppBackendServerApplication

8. @Service
public class BuildAppAsync {
@Autowired
private RestaurantRepository restRepository;
@Async
public void buildApp(String secret, String pushKey, String targetType) {
try {
RestaurantEntity re = restRepository.findBySecret(secret);
if(re == null) {
return;
}
File tempDirectory = File.createTempFile("tempDir", "ending");
tempDirectory.delete();
tempDirectory.mkdirs();
unzip(getClass().getResourceAsStream("/MyRestaurant.zip"), tempDirectory);
String uuid = UUID.randomUUID().toString();
FileResponseService.FILES_DIRECTORY.mkdirs();
File tempFileName = new File(FileResponseService.FILES_DIRECTORY, uuid + ".zip");
zipDir(tempFileName.getAbsolutePath(), tempDirectory.getAbsolutePath());
} catch(IOException err) {
throw new RuntimeException(err);
}
BuildAppAsync

9. spring.http.multipart.max-file-size=800KB
spring.http.multipart.max-request-size=2048KB
application.properties

10. @Controller @RequestMapping("/files")
public class FileResponseService {
public static final File FILES_DIRECTORY=new File(System.getProperty("user.home")+File.separator
+"files");
@RequestMapping(value = "/{file_name}", method = RequestMethod.GET)
public void getFile(@PathVariable("file_name") String fileName,
HttpServletResponse response) throws IOException {
for(int iter = 0 ; iter < fileName.length() ; iter++) {
char c = fileName.charAt(iter);
if(c >= 'a' && c <= 'z' || c >= '0' && c <= '9' || c == '.' || c == '-' || c == '_') {
continue;
}
// illegal character that might compromise security
response.setStatus(404);
return;
}
File f = new File(FILES_DIRECTORY, fileName +".zip");
if(f.exists()) {
response.setStatus(200);
try(OutputStream os = response.getOutputStream()) {
Files.copy(f.toPath(), os);
}
} else {
response.setStatus(404);
}
}
}
FileResponseService
Problematic URL
https://server.com/../../../etc/passwd