glTF文件验证与Java Spring Boot

huangapple go评论93阅读模式
英文:

glTF file validation with Java Spring Boot

问题

我想在前端使用Three.js创建一个应用,并在后端使用Java Spring Boot。此外,用户应能够上传.glTF文件,然后这些文件将被存储在服务器上。我有一个担忧,即我找不到一个库或解决方案来检查.glTF文件的有效性或安全性,以确保它不是恶意文件,然后再将其存储。因此,我想问问是否有人有对此问题的想法或解决方案。我找到了这个存储库 https://github.com/javagl/JglTF,它提供了一个gltf验证器,但它警告说它仅供内部使用,因此其他库也是如此。 glTF文件具有一个JSON结构,如果这对问题有关的话。

我考虑的选项:

  • 检查glTF的通用键
  • 检查媒体类型(mime type)
英文:

I want to create an app with Three.js in the frontend and Java Spring Boot in the backend. Furthermore, the users shall be able to upload .glTF files which then shall be stored on the server. One concern I have is that I can't find a library or solution on how to check the validity or security of the .glTF, hence that it is not e.g. malicious, before storing it. Therefore I wanted to ask if anyone has an idea or solution to this problem. I found this repository https://github.com/javagl/JglTF which provides a gltf validator but it alarms that it is only for internal use and thus the other libraries. A glTF file has a JSON structure if that's relevant.

The options I considered:

  • checking for general keys of glTF
  • checking the mime type

答案1

得分: 0

你可能正在寻找KhronosGroup/glTF-Validator。然而,官方的glTF验证器并不是用Java编写的。它可以编译成WebAssembly,但在Java Spring Boot后端运行可能需要相当大的努力。glTF规范还包括JSON-LD 模式文件,我认为你可以找到用于Java的库,用于根据JSON-LD模式文件验证任意JSON数据,尽管我不能亲自推荐这样的库。

此外,检测文件是否为有效的glTF资源并不完全等同于检测它是否是非恶意的(尽管这肯定是一个良好的开始)。例如,一个glTF场景可能是有效的,但仍然包含着经恶意制作的JPEG或PNG纹理。

在我看来,唯一安全的方法是对glTF资源和其依赖的任何二进制资源(如图像)进行“净化”。基本上,这意味着使用可信的I/O库重新构建文件,而不仅仅是检查文件是否存在问题。现有的Stack Overflow答案描述了如何对2D图像执行此操作,尽管我不知道关于3D场景相关的完整答案。

英文:

You might be looking for KhronosGroup/glTF-Validator. However, the official glTF validator is not written in Java. It can be compiled to WebAssembly, but may take some considerable effort to run in a Java Spring Boot backend. The glTF specification also includes JSON-LD schema files, and I expect you could find libraries for Java that validate arbitrary JSON data against JSON-LD schema files, although I am not able to recommend such a library myself.

Furthermore, detecting that the file is a valid glTF asset is not quite the same thing as detecting that it is non-malicious (although it's certainly a good start). A glTF scene might be valid while also containing a maliciously-crafted JPEG or PNG texture, for example.

In my opinion, the only safe approach is to sanitize the glTF asset and any binary resources (like images) it relies on. Essentially this means rebuilding files with a trusted I/O library, not just sniffing them for problems. Existing Stack Overflow answers describe how to do this for 2D images, although I'm not aware of complete answers as related to 3D scenes.

huangapple
  • 本文由 发表于 2023年6月6日 01:52:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76408872.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定