Merge 1.30.10 (#1044)

* chore(): Prepare next version

* fix(audits): add api events

fix gravitee-io/issues#2883

* chore(): Prepare next version

* fix: Platform dashboard rights not correctly handled for widget response status

fix gravitee-io/issues#2868

* fix: When deleting an API, its pages should be also deleted

fix gravitee-io/issues#2844

* fix(swagger): Add documentation for analytics API

Closes gravitee-io/issues#2914

* fix(group): A group can be associated to existing APIs and or Apps

Closes gravitee-io/issues#2253

* fix(view): Do not update view's picture when re-ordering

Closes gravitee-io/issues#2909

* feat(services): Add a user-agent header for all services requests

fix gravitee-io/issues#2854

* fix(api): add controls on api creation and update

fix gravitee-io/issues#2938

* release(1.25.16)

* chore(): Prepare next version

* chore: Update node dependency

Closes gravitee-io/issues#2963

* fix(prometheus): register HC service only on Prometheus

fix gravitee-io/issues#2979

* fix(oauth): log user mapping error in warning

fix gravitee-io/issues#2973

* fix(quality-rules): do not require read access to get all quality rules

fix gravitee-io/issues#2984

* fix(analytics): Do not handle API and application with value '1' as deleted.

Closes gravitee-io/issues#2987

* feat(http): Add support for PKCS12 for HTTP server

Closes gravitee-io/issues#2978

* fix(analytics): replace '1' to '?' in analytics response

fix gravitee-io/issues#2988

* release(1.25.17)

* chore(): Prepare next version

* fix: Do not log message when a field is not mapped on an identity provider

Closes gravitee-io/issues#3016

* fix(email): do not throw error if email is disabled

fix gravitee-io/issues#3035

* doc: Add doc on how to add email on a user inmemory

Closes gravitee-io/issues#2590

* fix(email): do not send email if no recipient

fix gravitee-io/issues#3038

* release(1.30.1)

* chore(): Prepare next version

* fix(gravitee.bat): wrong comment syntax

fix gravitee-io/issues#3050

* feat(metadata): add EL support for the "email-support" API metadata

closes gravitee-io/issues#3049

* fix(api): delete memberships and notifications on delete

fix gravitee-io/issues#2711

* fix(ut): ApiService_DeleteTest ApplicationService_ArchiveTest

* release(1.25.18)

* chore(): Prepare next version

* fix(management): the enums not case-insensitive when an api is imported

Closes gravitee-io/issues#2995

* fix(logs): escape reserved words during research

fix gravitee-io/issues#3070

* release(1.25.19)

* chore(): Prepare next version

* release(1.30.2)

* chore(): Prepare next version

* release(1.25.20)

* chore(): Prepare next version

* fix: The configuration of an email on a user (in memory) does not work

Closes gravitee-io/issues#3103

* fix: Error trying to import API with primary owner without email

Closes gravitee-io/issues#3104

* fix(configuration): define sensitive data that cannot be seen outside the service

fix gravitee-io/issues#3082

* feat(application): display complete request URI in the application log detail

closes gravitee-io/issues#3107

* feat(maintenance): add a maintenance mode for the ui and api

fix gravitee-io/issues#3124

* fix(subscription): update subscription ending date

fix gravitee-io/issues#3149

* fix(apikey): expire date cannot ended after subscription

fix gravitee-io/issues#3153

* fix(management) API documentation import preserves folders structure

Fixes gravitee-io/issues#3129

* release(1.25.21)

* chore(): Prepare next version

* fix(pages) allow non admin to administrate portal pages

fix gravitee-io/issues#3174

* fix(analytics): report issues#3113 in default widgets

* release(1.30.3)

* chore(): Prepare next version

* fix(config): Bad defautl value for HTTP proxy

Closes gravitee-io/issues#3221

* fix(group): Reverse newly created entity and mapped entity

Closes gravitee-io/issues#3171

* feat(instance): Add instances filtering capabilities to avoid loading large set of data

Closes gravitee-io/issues#3222

* fix: Missing informations on email template for expired api-key

* fix(oauth): Add a state while doing oauth authentication

Closes gravitee-io/issues#3231

* fix(permission): Group permissions are merged with user permissions

Closes gravitee-io/issues#3238

* fix: Cors request considered as "Deleted Application"

Closes gravitee-io/issues#3228

* fix: Log unknown path for unknown APIs

Closes gravitee-io/issues#3195

* fix(container): Move JUL logs to SLF4j

Closes gravitee-io/issues#3229

* feat(idp): add firstname and lastname support for inmemory users

closes gravitee-io/issues#3234

* feat(user): Add a flag to indicate that the user is PO

Closes gravitee-io/issues#2425

* release(1.25.22)

* chore(): Prepare next version

* feat(swagger): Set server URLs depending on the entrypoints of the API

Closes gravitee-io/issues#3246

* release(1.30.4)

* chore(): Prepare next version

* Fix typo on configuration of proxy type

* fix: fail to parse Swagger page with dynamic freemarker values

Closes gravitee-io/issues#3259

* feat(logs): Provide a way to consult API logs from platform dashboard

Closes gravitee-io/issues#3233

* release(1.30.5)

* chore(): Prepare next version

* fix: Some users are wrongly flagged as primary owners

Closes gravitee-io/issues#3273

* fix(application): do not log in error a missing PO on a archived app

fix gravitee-io/issues#3273

* fix: Manual unlocking of detailed logging limitation

Closes gravitee-io/issues#3282

* fix: Use the correct log lever for errors on token exchange

Closes gravitee-io/issues#3267

* feat(swagger): Servers in descriptor are based on API entrypoints

Closes gravitee-io/issues#3277

* fix: Direct members permissions are not well merged with group permissions

Closes gravitee-io/issues#3315

* fix(): improve the rest-api swagger documentation

fix gravitee-io/issues#3230

* fix(users): display name show 'null' value if firstname or lastname is null

fixes gravitee-io/issues#3313

* fix(api): export API metadata

fixes gravitee-io/issues#3314

* fix(doc): remove List example in the rest-api swagger definition

* chore: Resolve swagger model type

* chore: Remove swagger2markup as it is covered with Redoc

* release(1.25.23)

* chore(): Prepare next version

* fix(api): Quality score is set to 0 if no custom rules has been validated

Closes gravitee-io/issues#3325

* fix(application): Set the client_id when updating a DCR application

Closes gravitee-io/issues#3180

* feat(dictionary): Provide support HTTP headers

Closes gravitee-io/issues#3296

* fix: When updating the view name, the label is not correct on the API's cards

fix gravitee-io/issues#3279

* feat(policy): Policies can be extracted from Swagger

Closes gravitee-io/issues#3298

* feat(alert): Add alert history

Closes gravitee-io/issues#3185

* fix(pages): do not override fetcher configuration while fetching pages

fixes gravitee-io/issues#3342

* feat(alert): Upgrade node dependencies to add support for alert on node healthcheck metrics

Closes gravitee-io/issues#3118

* fix(api): Add default context-path to API entity

Closes gravitee-io/issues#3356

* fix(analytics): add order metadata to group_by response to be able to sort data on the UI side

fixes gravitee-io/issues#3350

* feat(page): Add an option to render swagger server according to the entrypoint path

Closes gravitee-io/issues#3359

* fix(logs): Manage unknown API

Closes gravitee-io/issues#3349

* fix: missing license header

* fix(subscription): Api-key without expiration date are well managed

Closes gravitee-io/issues#3362

* release(1.30.6)

* chore(): Prepare next version

* release(1.30.7)

* chore(): Prepare next version

* fix: Support email message is displaying html elements

Closes gravitee-io/issues#3398

* fix(logging): Plug Java Util Logging (JUL) to SLF4J

Closes gravitee-io/issues#3360

* release(1.25.24)

* fix: Metadata are not well imported while creating or updating an API

Closes gravitee-io/issues#3409

* fix: Entrypoints are incorrect in case of virtual hosting configuration

Closes gravitee-io/issues#3404

* fix: Error on top path column name

fix gravitee-io/issues#3411

* release(1.30.8)

* chore(): Prepare next version

* fix(apikey): save paused subscriptions

fix gravitee-io/issues#3520

* fix(swagger): keep the swagger config on api update from swagger

fix gravitee-io/issues#3518

* fix(user): do not fail if default app is enabled but simple App with DCR is disabled

fix gravitee-io/issues#3523

* fix(subscriptions): search subscriptions by api-key with many applications

fixes gravitee-io/issues#3346

* fix(oidc-idp): map emailRequired property from gravitee.yml file

fixes gravitee-io/issues#3597

* fix: Allows to override virtual host with entrypoints

fix gravitee-io/issues#3626

* feat(memberhsip): Manage automatic membership mappings for identity providers

Closes gravitee-io/issues#1698

* fix(view): Default ALL view must have a key

Closes gravitee-io/issues#3636

* fix(UT): SubscriptionService + ApiService_ExportAsJsonTest

* chore(): upgrade parent to fix gpg error

* release(1.30.9)

* chore(): Prepare next version

* feat(messages): allow to optionally define whitelist url for post message

Closes gravitee-io/issues#3638

* fix: Add upport for CSRF / upgrade nimbus + upgrade java-jwt

Closes gravitee-io/issues#3634

* fix(image): Image format and content are validated against XSS attacks

Closes gravitee-io/issues#3648

* fix(api): improve filtering of api data

Closes gravitee-io/issues#3644

* fix(user): Check the email and password during registration

Closes gravitee-io/issues#3656

* chore(dependencies): upgrade dependencies

spring 5.1.3 -> 5.2.5
spring-security 5.1.5 -> 5.2.5
jersey 2.29 -> 2.30.1
jetty 9.4.20 -> 9.4.28
freemarker 2.3.28 -> 2.3.30
guava 20.0 -> 29.0-jre
json-path 2.3.0 -> 2.4.0
snakeyaml 1.18 -> 1.26
jackson 2.9.8 -> 2.10.3
json-schema-validator 2.2.8 -> 2.2.13
swagger-jersey-jaxrs 1.5.23 -> 1.6.1
jersey-spring4 -> jersey-spring5
java-jwt 2.2.1 -> 3.10.2

Closes gravitee-io/issues#3652

* feat(page): allow to optionally sanitize page content

Closes gravitee-io/issues#3637

* feat(import): add ability to whitelist urls or disable import from private host

Closes gravitee-io/issues#3657

* feat(csrf): allow to optionally enable csrf protection

Closes gravitee-io/issues#3663

* feat(captcha): add captcha protection if feature is enabled

Closes gravitee-io/issues#3655

* fix(user): Do not search on email domain

Closes gravitee-io/issues#3665

* feat(csrf): handle csrf cross-domain

Closes gravitee-io/issues#3662

* fix(csrf): handle csrf cross-domain

Closes gravitee-io/issues#3662

* feat(captcha): add captcha on login

Closes gravitee-io/issues#3655

* fix(import): security value for plan data can be filled in lowercase

Closes gravitee-io/issues#3402

* refactor: export api with enum vales in lowercase

Closes gravitee-io/issues#3406

* X-Forwarded headers fix for ports
 Closes: gravitee-io/issues#3641

* fix(csrf): set http-only on csrf cookie

Closes gravitee-io/issues#3673

* chore: Upgrade netty dependency

Closes gravitee-io/issues#3679

* feat(captcha): allow cors 'X-Recaptcha-Token' header by default

Closes gravitee-io/issues#3676

* chore: Upgrade gravitee-node dependency

Closes gravitee-io/issues#3419

* fix(command): do not fetch indexable source if the action is a delete one

fixes gravitee-io/issues#3574

* fix: Fail to save a Client registration config

fix gravitee-io/issues#3617

* release(1.30.10)

Co-authored-by: Gravitee.io Bot <contact@gravitee.io>
Co-authored-by: Nicolas Géraud <nicolas.geraud@gmail.com>
Co-authored-by: Azize Elamrani <azize.elamrani@gmail.com>
Co-authored-by: David BRASSELY <brasseld@gmail.com>
Co-authored-by: Titouan COMPIEGNE <titouan.compiegne@gmail.com>
Co-authored-by: Guillaume Gillon <guillaume.gillon@gmail.com>
Co-authored-by: Florent CHAMFROY <florent.chamfroy@graviteesource.com>
Co-authored-by: RomsDev <tabaryr@gmail.com>
Co-authored-by: Guillaume Cusnieux <guillaume.cusnieux@graviteesource.com>
Co-authored-by: Zdenek Obst <zdenek.obst@gmail.com>

.gitignore

@@ -11,7 +11,7 @@ target/
 .classpath
 /bin/
 
-gravitee-management-api-standalone/gravitee-management-api-standalone-distribution/src/main/resources/license/*
-gravitee-management-api-standalone/gravitee-management-api-standalone-distribution/src/main/resources/logs/*
-gravitee-management-api-standalone/gravitee-management-api-standalone-distribution/src/main/resources/plugins/*
-gravitee-management-api-standalone/gravitee-management-api-standalone-distribution/src/main/resources/data/*
+gravitee-rest-api-standalone/gravitee-rest-api-standalone-distribution/src/main/resources/license/*
+gravitee-rest-api-standalone/gravitee-rest-api-standalone-distribution/src/main/resources/logs/*
+gravitee-rest-api-standalone/gravitee-rest-api-standalone-distribution/src/main/resources/data/*
+gravitee-rest-api-standalone/gravitee-rest-api-standalone-distribution/src/main/resources/plugins/*

gravitee-rest-api-idp/gravitee-rest-api-idp-core/pom.xml

@@ -57,7 +57,7 @@
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
-            <version>4.41.2</version>
+            <version>${nimbus-jose-jwt.version}</version>
         </dependency>
     </dependencies>
 </project>

gravitee-rest-api-management/gravitee-rest-api-management-rest/src/main/java/io/gravitee/rest/api/management/rest/resource/AbstractResource.java

@@ -24,22 +24,11 @@
 import io.gravitee.rest.api.service.MembershipService;
 import io.gravitee.rest.api.service.PermissionService;
 import io.gravitee.rest.api.service.RoleService;
-import io.gravitee.rest.api.service.exceptions.UploadUnauthorized;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import javax.imageio.ImageIO;
-import javax.imageio.ImageReader;
-import javax.imageio.stream.ImageInputStream;
 import javax.inject.Inject;
 import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.SecurityContext;
-import java.awt.*;
-import java.awt.image.BufferedImage;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.util.Base64;
-import java.util.Iterator;
 
 /**
  * @author David BRASSELY (david.brassely at graviteesource.com)
@@ -94,79 +83,4 @@ protected boolean hasPermission(RolePermission permission, RolePermissionAction.
     protected boolean hasPermission(RolePermission permission, String referenceId, RolePermissionAction... acls) {
         return isAuthenticated() && (isAdmin() || permissionService.hasPermission(permission, referenceId, acls));
     }
-
-    String checkAndScaleImage(final String encodedPicture) {
-        if (encodedPicture != null) {
-            // first check that the image is in a valid format to prevent from XSS attack
-            checkImageFormat(encodedPicture);
-
-            final String pictureType = encodedPicture.substring(0, encodedPicture.indexOf(','));
-            final String base64Picture = encodedPicture.substring(encodedPicture.indexOf(',') + 1);
-            final byte[] decodedPicture = Base64.getDecoder().decode(base64Picture);
-
-            // then check that the image is not too big
-            if (decodedPicture.length > 500_000) {
-                throw new UploadUnauthorized("The image is too big");
-            }
-
-            try {
-                ImageInputStream imageInputStream = ImageIO.createImageInputStream(decodedPicture);
-                Iterator<ImageReader> imageReaders = ImageIO.getImageReaders(imageInputStream);
-
-                while (imageReaders.hasNext()) {
-                    ImageReader reader = imageReaders.next();
-                    String discoveredType = reader.getFormatName();
-
-                    if ("svg".equals(discoveredType)) {
-                        throw new UploadUnauthorized("SVG format is not supported");
-                    }
-
-                    reader.setInput(imageInputStream);
-                    reader.getNumImages(true);
-                    BufferedImage bufferedImage = reader.read(0);
-                    Image scaledImage = bufferedImage.getScaledInstance(200, 200, Image.SCALE_SMOOTH);
-                    BufferedImage bufferedScaledImage = new BufferedImage(200, 200, bufferedImage.getType());
-
-                    Graphics2D g2 = bufferedScaledImage.createGraphics();
-                    g2.drawImage(scaledImage, 0, 0, null);
-                    g2.dispose();
-
-                    ByteArrayOutputStream bos = new ByteArrayOutputStream();
-                    ImageIO.write(bufferedScaledImage, discoveredType, bos );
-                    return pictureType + "," + Base64.getEncoder().encodeToString(bos.toByteArray());
-                }
-            } catch (IOException e) {
-                e.printStackTrace();
-                return null;
-            }
-        }
-
-        return encodedPicture;
-    }
-
-    private void checkImageFormat(final String picture) {
-        if (! picture.startsWith("data:")) {
-            throw new UploadUnauthorized("The image is not in a valid format");
-        }
-
-        String mediaType = picture.substring("data:".length(), picture.indexOf((int) ';'));
-        if (!mediaType.startsWith("image/")) {
-            throw new UploadUnauthorized("Image file format unauthorized " + mediaType);
-        }
-
-        if (mediaType.contains("svg")) {
-            throw new UploadUnauthorized("SVG format is not supported");
-        }
-    }
-
-    void checkImageFormat(final MediaType mediaType) {
-
-        if (!"image".equals(mediaType.getType())) {
-            throw new UploadUnauthorized("Image file format unauthorized " + mediaType);
-        }
-
-        if (mediaType.getSubtype() != null && mediaType.getSubtype().contains("svg")) {
-            throw new UploadUnauthorized("SVG format is not supported");
-        }
-    }
 }

gravitee-rest-api-management/gravitee-rest-api-management-rest/src/main/java/io/gravitee/rest/api/management/rest/resource/ApiMediaResource.java

@@ -16,18 +16,21 @@
 package io.gravitee.rest.api.management.rest.resource;
 
 import io.gravitee.common.http.MediaType;
+import io.gravitee.rest.api.exception.InvalidImageException;
 import io.gravitee.rest.api.management.rest.security.Permission;
 import io.gravitee.rest.api.management.rest.security.Permissions;
 import io.gravitee.rest.api.model.MediaEntity;
 import io.gravitee.rest.api.model.PageEntity;
 import io.gravitee.rest.api.model.permissions.RolePermission;
 import io.gravitee.rest.api.model.permissions.RolePermissionAction;
+import io.gravitee.rest.api.security.utils.ImageUtils;
 import io.gravitee.rest.api.service.MediaService;
 import io.gravitee.rest.api.service.exceptions.UploadUnauthorized;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiResponse;
 import io.swagger.annotations.ApiResponses;
+import org.apache.commons.io.IOUtils;
 import org.glassfish.jersey.media.multipart.FormDataBodyPart;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 import org.glassfish.jersey.media.multipart.FormDataParam;
@@ -65,17 +68,24 @@ public Response uploadImage(
             @FormDataParam("file") final FormDataBodyPart body
     ) throws IOException {
         final String mediaId;
-        checkImageFormat(body.getMediaType());
+
         if (fileDetail.getSize() > this.mediaService.getMediaMaxSize()) {
             throw new UploadUnauthorized("Max size achieved " + fileDetail.getSize());
         } else {
-            mediaId = mediaService.saveApiMedia(api, new MediaEntity(
-                    uploadedInputStream,
+            MediaEntity mediaEntity = new MediaEntity(
+                    IOUtils.toByteArray(uploadedInputStream),
                     body.getMediaType().getType(),
                     body.getMediaType().getSubtype(),
                     fileDetail.getFileName(),
-                    fileDetail.getSize()
-            ));
+                    fileDetail.getSize());
+
+            try {
+                ImageUtils.verify(body.getMediaType().getType(), body.getMediaType().getSubtype(), mediaEntity.getData());
+            } catch (InvalidImageException e) {
+                return Response.status(Response.Status.BAD_REQUEST).entity("Invalid image format").build();
+            }
+
+            mediaId = mediaService.saveApiMedia(api, mediaEntity);
         }
 
         return Response.status(200).entity(mediaId).build();

gravitee-rest-api-management/gravitee-rest-api-management-rest/src/main/java/io/gravitee/rest/api/management/rest/resource/ApiPlansResource.java

@@ -22,6 +22,7 @@
 import io.gravitee.rest.api.management.rest.resource.param.PlanStatusParam;
 import io.gravitee.rest.api.management.rest.security.Permission;
 import io.gravitee.rest.api.management.rest.security.Permissions;
+import io.gravitee.rest.api.model.permissions.RolePermissionAction;
 import io.gravitee.rest.api.service.ApiService;
 import io.gravitee.rest.api.service.GroupService;
 import io.gravitee.rest.api.service.PlanService;
@@ -37,13 +38,16 @@
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Response;
 
+import static io.gravitee.rest.api.model.permissions.RolePermission.API_GATEWAY_DEFINITION;
 import static io.gravitee.rest.api.model.permissions.RolePermission.API_PLAN;
 import static io.gravitee.rest.api.model.permissions.RolePermissionAction.*;
 
 import java.net.URI;
 import java.util.Arrays;
 import java.util.Comparator;
 import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 /**
@@ -98,14 +102,15 @@ public List<PlanEntity> listPlans(
         }
 
         if (Visibility.PUBLIC.equals(apiEntity.getVisibility())
-            || hasPermission(API_PLAN, api, READ)) {
+                || hasPermission(API_PLAN, api, READ)) {
 
             return planService.findByApi(api).stream()
                     .filter(plan -> status.getStatuses().contains(plan.getStatus())
-                            && ( (isAuthenticated() && isAdmin()) || groupService.
+                            && ((isAuthenticated() && isAdmin()) || groupService.
                             isUserAuthorizedToAccessApiData(apiEntity, plan.getExcludedGroups(), getAuthenticatedUserOrNull())))
                     .filter(plan -> security == null || security.getSecurities().contains(plan.getSecurity()))
                     .sorted(Comparator.comparingInt(PlanEntity::getOrder))
+                    .map(this::filterSensitiveData)
                     .collect(Collectors.toList());
         }
 
@@ -155,7 +160,7 @@ public Response updatePlan(
             @PathParam("plan") String plan,
             @ApiParam(name = "plan", required = true) @Valid @NotNull UpdatePlanEntity updatePlanEntity) {
 
-        if (updatePlanEntity.getId() != null && ! plan.equals(updatePlanEntity.getId())) {
+        if (updatePlanEntity.getId() != null && !plan.equals(updatePlanEntity.getId())) {
             return Response
                     .status(Response.Status.BAD_REQUEST)
                     .entity("'plan' parameter does not correspond to the plan to update")
@@ -166,7 +171,7 @@ public Response updatePlan(
         updatePlanEntity.setId(plan);
 
         PlanEntity planEntity = planService.findById(plan);
-        if (! planEntity.getApi().equals(api)) {
+        if (! planEntity.getApi().contains(api)) {
             return Response
                     .status(Response.Status.BAD_REQUEST)
                     .entity("'plan' parameter does not correspond to the current API")
@@ -305,4 +310,29 @@ public Response depreciatePlan(
 
         return Response.ok(planService.depreciate(plan)).build();
     }
-}
+
+    private PlanEntity filterSensitiveData(PlanEntity entity) {
+
+        if ( hasPermission(API_GATEWAY_DEFINITION, entity.getApi(), RolePermissionAction.READ)
+                && hasPermission(API_PLAN, entity.getApi(), RolePermissionAction.READ) ) {
+
+            // Return complete information if user has permission.
+            return entity;
+        }
+
+        PlanEntity filtered = new PlanEntity();
+
+        filtered.setId(entity.getId());
+        filtered.setCharacteristics(entity.getCharacteristics());
+        filtered.setName(entity.getName());
+        filtered.setDescription(entity.getDescription());
+        filtered.setOrder(entity.getOrder());
+        filtered.setSecurity(entity.getSecurity());
+        filtered.setType(filtered.getType());
+        filtered.setValidation(filtered.getValidation());
+        filtered.setCommentRequired(entity.isCommentRequired());
+        filtered.setCommentMessage(entity.getCommentMessage());
+
+        return filtered;
+    }
+}

gravitee-rest-api-management/gravitee-rest-api-management-rest/src/main/java/io/gravitee/rest/api/management/rest/resource/ApiResource.java

@@ -16,6 +16,7 @@
 package io.gravitee.rest.api.management.rest.resource;
 
 import io.gravitee.common.http.MediaType;
+import io.gravitee.rest.api.exception.InvalidImageException;
 import io.gravitee.rest.api.management.rest.resource.param.LifecycleActionParam;
 import io.gravitee.rest.api.management.rest.resource.param.LifecycleActionParam.LifecycleAction;
 import io.gravitee.rest.api.management.rest.resource.param.ReviewActionParam;
@@ -29,6 +30,7 @@
 import io.gravitee.rest.api.model.parameters.Key;
 import io.gravitee.rest.api.model.permissions.RolePermission;
 import io.gravitee.rest.api.model.permissions.RolePermissionAction;
+import io.gravitee.rest.api.security.utils.ImageUtils;
 import io.gravitee.rest.api.service.*;
 import io.gravitee.rest.api.service.exceptions.ApiNotFoundException;
 import io.gravitee.rest.api.service.exceptions.ForbiddenAccessException;
@@ -235,7 +237,11 @@ public Response update(
             return builder.build();
         }
 
-        checkAndScaleImage(apiToUpdate.getPicture());
+        try {
+            ImageUtils.verify(apiToUpdate.getPicture());
+        } catch (InvalidImageException e) {
+            return Response.status(Status.BAD_REQUEST).entity("Invalid image format").build();
+        }
 
         final ApiEntity currentApi = (ApiEntity) responseApi.getEntity();
         // Force context-path if user is not the primary_owner or an administrator
@@ -729,6 +735,7 @@ private void filterSensitiveData(ApiEntity entity) {
             entity.setServices(null);
             entity.setResources(null);
             entity.setPathMappings(null);
+            entity.setResponseTemplates(null);
         }
     }
 }