glTF file validation with Java Spring Boot

I want to create an app with Three.js in the frontend and Java Spring Boot in the backend. Furthermore, the users shall be able to upload .glTF files which then shall be stored on the server. One concern I have is that I can't find a library or solution on how to check the validity or security of the .glTF, hence that it is not e.g. malicious, before storing it. Therefore I wanted to ask if anyone has an idea or solution to this problem. I found this repository https://github.com/javagl/JglTF which provides a gltf validator but it alarms that it is only for internal use and thus the other libraries. A glTF file has a JSON structure if that's relevant.

The options I considered:

• checking for general keys of glTF
• checking the mime type

You might be looking for KhronosGroup/glTF-Validator. However, the official glTF validator is not written in Java. It can be compiled to WebAssembly, but may take some considerable effort to run in a Java Spring Boot backend. The glTF specification also includes JSON-LD schema files, and I expect you could find libraries for Java that validate arbitrary JSON data against JSON-LD schema files, although I am not able to recommend such a library myself.

Furthermore, detecting that the file is a valid glTF asset is not quite the same thing as detecting that it is non-malicious (although it's certainly a good start). A glTF scene might be valid while also containing a maliciously-crafted JPEG or PNG texture, for example.

In my opinion, the only safe approach is to sanitize the glTF asset and any binary resources (like images) it relies on. Essentially this means rebuilding files with a trusted I/O library, not just sniffing them for problems. Existing Stack Overflow answers describe how to do this for 2D images, although I'm not aware of complete answers as related to 3D scenes.