I am working on a site that allows models to be uploaded. the models are json format like this :
{"meta":{"format_version":"3.0","model_format":"bedrock_old","box_uv":true},"name":"crocodile","geo_name":"crocodile","resolution":{"width":128,"height":128},"elements":[{"name":"body","from":[-4.5,3,-11],"to":[4.5,12,9],"autouv":0,"color":0,"origin":[0,0,0],"uuid":"dc9860c3-1826-d5a0-5475-140558d9bcbd"},{"name":"head","from":[-4,3.5,-13],"to":[4,11.5,-11],"autouv":0,"color":1,"origin":[0,0,0],"uv_offset":[44,45],"uuid":"64585c76-5a21-4d25-e334-afdc62e32bec"},{"name":"jawtop","from":[-4,7,-19],"to":[4,11,-13],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[60,29],"uuid":"08ff348f-2450-1885-c0f6-1754cd0361e0"},{"name":"jawtop","from":[-3,7,-25],"to":[3,10,-19],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[0,45],"uuid":"ce05463f-09fe-45c3-f038-016152a1d962"},{"name":"jawtop","from":[-2,7,-29],"to":[2,9,-25],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[22,55],"uuid":"68004a0b-3d5e-1628-bc01-f97fc31d7add"},{"name":"jawtop","from":[-3,11,-17],"to":[-1,12,-14],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[0,71],"uuid":"1f51dc8c-bce3-f6b1-e3ce-b8bd95cfb0b6"},{"name":"jawtop","from":[1,11,-17],"to":[3,12,-14],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[10,71],"uuid":"a5e2642b-891a-8531-068a-f58f6773086d"},{"name":"jawbottom","from":[-3.5,4,-24],"to":[3.5,7,-13],"autouv":0,"color":3,"origin":[0,0,0],"uv_offset":[58,0],"uuid":"ad1c59ee-6f3f-07ef-fcdc-190444c48dc7"},{"name":"jawbottom","from":[-2.5,5,-30],"to":[2.5,7,-24],"autouv":0,"color":3,"origin":[0,0,0],"uv_offset":[0,55],"uuid":"750a2256-945c-2ea9-b2a3-eaf1af4b55ec"},{"name":"leg0","from":[3.5,2,5],"to":[5.5,7,8],"autouv":0,"color":4,"origin":[0,0,0],"uv_offset":[20,63],"uuid":"80425fb4-9022-e3f0-369c-4327b745fb92"},{"name":"leg0bot","from":[3.5,-1,6],"to":[5.5,3,8],"autouv":0,"color":5,"origin":[0,0,0],"uv_offset":[28,71],"uuid":"6afca6bb-c3b1-3284-1c00-ef2028a079aa"},{"name":"leg1","from":[-5.5,2,5],"to":[-3.5,7,8],"autouv":0,"color":6,"origin":[0,0,0],"uv_offset":[52,55],"uuid":"a7c6896b-f5af-9216-3cd7-0ad96fe57966"},{"name":"leg1bot","from":[-5.5,-1,6],"to":[-3.5,3,8],"autouv":0,"color":7,"origin":[0,0,0],"uv_offset":[20,71],"uuid":"675b7a00-486a-568b-9c51-09cef03b2abd"},{"name":"leg2","from":[3.5,2,-9],"to":[5.5,7,-6],"autouv":0,"color":0,"origin":[0,0,0],"uv_offset":[0,63],"uuid":"59aeddb8-d40b-8894-466c-ce509b62ef2f"},{"name":"leg2bot","from":[3.5,-2,-8],"to":[5.5,2,-6],"autouv":0,"color":1,"origin":[0,0,0],"uv_offset":[48,63],"uuid":"240ac047-9697-f70d-88af-2c948ef0a1a2"},{"name":"leg3","from":[-5.5,2,-9],"to":[-3.5,7,-6],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[10,63],"uuid":"269587ec-ed0a-74b0-0aac-d1e3f4b757db"},{"name":"leg3bot","from":[-5.5,-2,-8],"to":[-3.5,2,-6],"autouv":0,"color":3,"origin":[0,0,0],"uv_offset":[40,63],"uuid":"97f9b166-f557-ac6b-853e-74e476343c85"},{"name":"tail0","from":[-3.5,4,9],"to":[3.5,11,18],"autouv":0,"color":4,"origin":[0,0,0],"uv_offset":[0,29],"uuid":"eee0a07c-244b-e299-cdbb-f4722dd1d4b8"},{"name":"tail1","from":[-2.5,5,18],"to":[2.5,10,27],"autouv":0,"color":5,"origin":[0,0,0],"uv_offset":[32,29],"uuid":"0688b6e6-6366-6584-3e85-b6308f361a30"},{"name":"tail2","from":[-1.5,6,27],"to":[1.5,9,34],"autouv":0,"color":6,"origin":[0,0,0],"uv_offset":[24,45],"uuid":"37baa016-fdda-f2d8-6b0f-cbec8889a45d"},{"name":"tail3","from":[-0.5,6.5,34],"to":[0.5,8.5,40],"autouv":0,"color":7,"origin":[0,0,0],"uv_offset":[38,55],"uuid":"89277697-7dfb-6b42-2ea4-3d66a07425bb"},{"name":"tail4","from":[-0.5,7,40],"to":[0.5,8,44],"autouv":0,"color":0,"origin":[0,0,0],"uv_offset":[30,63],"uuid":"dc801a46-d1f8-2afd-1221-cbf021fda901"}],"outliner":[{"name":"body","uuid":"08b60937-c59c-d629-428d-dbc1b47bf899","export":true,"isOpen":true,"visibility":true,"autouv":0,"origin":[0,9,0],"children":["dc9860c3-1826-d5a0-5475-140558d9bcbd",{"name":"head","uuid":"794cb49d-09ea-b58a-d62f-7909c5329824","export":true,"isOpen":true,"visibility":true,"autouv":0,"origin":[0,9.5,-11],"children":["64585c76-5a21-4d25-e334-afdc62e32bec",{"name":"jawtop","uuid":"864311e9-ad20-750e-c1bc-d9003d8e09fa","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9,-13],"children":["08ff348f-2450-1885-c0f6-1754cd0361e0","ce05463f-09fe-45c3-f038-016152a1d962","68004a0b-3d5e-1628-bc01-f97fc31d7add","1f51dc8c-bce3-f6b1-e3ce-b8bd95cfb0b6","a5e2642b-891a-8531-068a-f58f6773086d"]},{"name":"jawbottom","uuid":"ca3610f0-82e8-c919-0b09-cc448af7db2b","export":true,"isOpen":true,"visibility":true,"autouv":0,"origin":[0,9,-13],"children":["ad1c59ee-6f3f-07ef-fcdc-190444c48dc7","750a2256-945c-2ea9-b2a3-eaf1af4b55ec"]}]},{"name":"leg0","shade":false,"uuid":"1c25265d-b108-2e3a-b48c-1840a8679882","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[3.5,9,6.5],"rotation":[-15,0,-30],"children":["80425fb4-9022-e3f0-369c-4327b745fb92",{"name":"leg0bot","shade":false,"uuid":"ccf50fe0-f61d-a385-ae91-1b9cf1cd704a","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[4.5,4,6],"rotation":[50,0,0],"children":["6afca6bb-c3b1-3284-1c00-ef2028a079aa"]}]},{"name":"leg1","uuid":"742bd91e-8c68-346f-8171-5fd796e5168b","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-3.5,9,6.5],"rotation":[-15,0,30],"children":["a7c6896b-f5af-9216-3cd7-0ad96fe57966",{"name":"leg1bot","uuid":"f9aac351-dd57-f3c7-8888-aecf46f41bf0","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-4.5,4,6],"rotation":[50,0,0],"children":["675b7a00-486a-568b-9c51-09cef03b2abd"]}]},{"name":"leg2","shade":false,"uuid":"756ef132-6c43-8a05-f00e-89efded63842","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[3.5,9,-7.5],"rotation":[-15,0,-30],"children":["59aeddb8-d40b-8894-466c-ce509b62ef2f",{"name":"leg2bot","shade":false,"uuid":"dccb0f87-61fd-f919-3e77-ea01d2b7b921","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[4.5,4,-7],"rotation":[50,0,0],"children":["240ac047-9697-f70d-88af-2c948ef0a1a2"]}]},{"name":"leg3","uuid":"8b2f9b00-b22c-5b3c-a530-436a5d9d4a7a","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-3.5,9,-7.5],"rotation":[-15,0,30],"children":["269587ec-ed0a-74b0-0aac-d1e3f4b757db",{"name":"leg3bot","uuid":"a91c7b0e-3d6f-4a0e-18bf-c83531e1ef2e","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-4.5,4,-7],"rotation":[50,0,0],"children":["97f9b166-f557-ac6b-853e-74e476343c85"]}]},{"name":"tail0","uuid":"c3e0f719-cb90-e79f-8664-3b6bc1531c0d","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,9],"children":["eee0a07c-244b-e299-cdbb-f4722dd1d4b8",{"name":"tail1","uuid":"0f292741-56cb-0d10-fc48-bb6e00ca2755","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,18],"children":["0688b6e6-6366-6584-3e85-b6308f361a30",{"name":"tail2","uuid":"38c0f23e-4aae-37ba-340d-95a042b86cbf","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,27],"children":["37baa016-fdda-f2d8-6b0f-cbec8889a45d",{"name":"tail3","uuid":"ba8b9331-6926-6d51-3f9c-b206a4f971b7","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,34],"children":["89277697-7dfb-6b42-2ea4-3d66a07425bb",{"name":"tail4","uuid":"e70eca10-4cd6-05eb-d828-02e363c9a3a5","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,40],"children":["dc801a46-d1f8-2afd-1221-cbf021fda901"]}]}]}]}]}]}],"textures":[{"path":"crocodile.png","name":"crocodile.png","folder":"","namespace":"","id":"0","particle":false,"mode":"bitmap","saved":true,"uuid":"c62c819f-3c1a-aefb-00ff-415b02e2f7ac","source":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAcyElEQVR4Xu2dCZRddX3Hf/fts89kxQhZCEvUo6BQDQlJCG5d1IoeJCRshpAEEqEICNJqrYpiW3tsKWpRsFVL4egBUYvVgiACcupCrdoAAZIANhCyzJLZ3nJvz+f3v7+XIcyb8zLzcucm3Ms5zMvMe/f/f//f97cv15MGX8fO6wgqvifpVCDDRU8KuUCGip40FwIpljxJpQJZfdYiSac9SadTUqn44vuBFPJZ8VKeVMq+lEoVueb6u70Gb63u2/3jp88IHr3l19JTKlU/05HNyhtXnyDlMvv19ffpTErKJV9K5Yq0NOfkQx/7zqTtue4vt98bG77h447uCLgpRE+nRAIWDDzJ53wFBGd3yfmLJZ/LyOBQUZqbcrK3f1iy2bR4nifZTFqGhktyzWcnDwAv/vfVwTXv+9bLAHD9HWfK1771WwUBBC+WKlLIZ6R/oKggvvZzP2j4eY6XsPV+ruEbnv3qziDliWSzTgLkso7zkQDlikgmLbJ21VIZLpaV61MpTw+yqZCVvr1DThoUsnLFJ7/X8L3VeyhjSYDBwaLuD2APDZVUgrH3IBC5/K++O2l7rve77f++hm94/pyOwPNEuX+4ZLeH8wNJp0X4zcXnLlZxz38V31euD4JAKn4gKc+TXC49qeK0FgBWXnGkbNozVYaHy5LJpGRwqKT7RooNDBTlo4kEEDlmTodKfQ8AFD0BDHAHnI/+BwCrVyxSrslk0goMDg8gYBMABtTBpR+fPH2KCnjyil/IV7dsUTWA/l8zb578cnm7cj1Si72jqpBiKgl8Xz56faICZM6RnUE2YwYfhA8UAL7viR+I8LeNF5wmA4PD0tSUU4IjRiE+QDCD6s8+MXniFAlw0n298p87dsi2/n6Z09Iib58xQxbec4/8wyffK6lUSoaGipLPZ3XPTU0OBFdPot0SGxWwYH5HgK6H85EAcH7Fd4THO/ArIhsuWKyg0P95IrlsRoqlshqGcBY2wYcnUZ/ee+PSoPmO7MsAgARAYmG/IMFQAewZI7a5KSuTCdpYAQCCYwMAhErFU4MJScDrfC6QD57lAIAlDVICP9CD5T8sbCzryXSpTAL8dOdOGfJ9KaRSsmTaNKcChksS+CKZbEr8Cvt20gu7ILEBROT4ozuCwWHH+SYJIHY2Axicd/DBDyxSscnB7d07rAYVxhT/5r3lcmVS9akBAK4CBBCf65jPnyw33/4bNfpwWff2D6khm0o7m2AypVZsJMAxczsCOB2DLwjcTww/PIKmfKA/165cqAcGtyM64f5cLqNchCoABJPpUwegcd06eeSpp6oAWDh/vtw4+0U9Z/aJp6Kvi0518R0u+8u7Gu5VjZew9X6u4RsGAKUyfCFq9KUIBiEyM84LgLgXn7dU0ilPhobLKgnURUylVJciDXLZ9KTqUyTAhmemvwwAOy/pkm/cuUn3jv5HVQ0NlcUPAslmUnLVdf/e8POsl5DjfV/DN4wRiPHHBQBymUB/EgPAAPQDT9YTB/A8KZXKkkmnpdCUrYaAiQ/gZjU6EPTZa/4oUJdtuCRtrQXpHyD6mFHCYYmiy/kb+2oq5PTvAFE5PJ9RUQ843fdy8QqAy/sRGLwPiaaSIRANFo11bfyLOxt+9uMBQcM3gRtIJDCd3ucKEv7NZwONDZTLnlxy3qnq7kFoDhF1ADdxEVY9GHH1L3ziPUG54oJOEG14uKRr47/jzmGIQmiikQAETwT3lD0i4slPAJhypaL7hcioK0DCe919sXN8GRh03gH3q3UdtgA4enZnAPHVzVNPDw5xXgAHhDRYf85SjQQCFNSAxgJ8v0qESiWQKz7V2FDw33383QFcysV6cKgGddKAoSwtzXlVQW2t+TAwFUhrS14GBosq8olSApxKuSJNzTkFBp9HMvBVATCgJohVHEYthF5ODQQc1gCA4+F2rH7zBiwegEpYf97SahYQDuJg4SLEUTaXVoJMZjJoPKL0UP1Mw1UAEgBjjwQQF34/nM6/zShcs2Khik4sf8uolcI0az6XVf2bACAaSDUcAFoPUHG3dalgFwlE/JsU2HDeqSoqR6aDW1ryqgIsKXTVp7/f8L1Fc6SH1ioNP+T5czoDz3OZP4hv0UD+zWvsgctWL1EbgIAP1jRSAH2LTlUjK52Wj3zm0HOpDi3Su902HADUAyD2IT4in/g/RMcLID7A7z580TI1/gAAMXWkgaYFPFFrG5vgUMytJwAgXDrX1QMAgBS+vy9qA2hwyHNRwQ0XLFNCYwNgTaPzNTJYqkgGo1BErkxUQCR48uYe1YnaVQ7VtG1AWRZpGRe4gZjlUKdDQPx44vlwdjbtuJqLiB/G3+xXd8rzO3r17xoClEDaW5ukr39QDcF5s7vkmed2V6WDeQp8lnVYj72YuiCHwEUImZVSXiClMKmkIWcvkHwupSqkr39Iy8/4QjOmt0lv35BM7WqRbCYjd9/3ZMOlXSQUOsiLeFjtEF59dQivFX1k8wIplp2vDpEKeUdsE9UYdpR7QWP42nz9Qj4tq85YqAWTxWJFrX31BvIuXn7LbQ+q+Ld0sRWM5HKAy8UNnMHoAAkoeA0A+LdGFFmTaFvOxRZIznzg3SerKiHah2oBwBSY4u/fdtfP5cGfP5cAYBQwefOO6gw0fUvFjnJ7mKb3HPdbKHfk4UMUuJ+/m4Tgc+byUfMHASAE0TMQhrFHlOxfvv2w9PX7+nmTLLzX1IYrJ3MSCDBoTAEQhtFEJWyFezkvAxC0tuTkzHedrGpEo3blihqUAIPX9z64SX74k6cTAIwGANK3EIJDV260A3aVz66QIxTNvIbQSjhn5+nfuRDvEINy73Pfv1APH+ueJI+WThVc+vfLX7+/GiNQwoe1ApYtJJVMLQH3hfjcV8GZcvEEtVxDmwKJxd7WrlzkyrSyaclQao47qTWIbm0kw+WTWGF0kKX4hG7vWRUvIrgUBmtI2yKOy+j5jAOGSQeIgyqwWD9qgN+pni56snbVKVUxTHKEsi+IY9kz1MDf3/yASguIzVqUkDuCE3J1a7lwsuN0BWK4Du8FeWqnhDYLySUul2IOw7FFl1ZmPaRCo0PLEzr1GH3YG5m+Rc/D4cbREFdr+SBKyul8iG+GGBwP56qYVtYU2XDe4lCeY0T6mjnTen9i5GHu/KZ/fUCJDwgAnXE1n097ZA+9ajEJfwUMgMyAov0GYa4BO4UqY9xJLdAgm9eU0zcggQwAiVs5OuqqEkD1vRLc+e6mh625A+6GM5VooTGoehmfX5xUgCvXnbNUXTwyeoR3ybpBFLjQUVrkxq/9RMU6n3eAcvdB3FsVEZ6AWf5IJy5TAYAH8Jntsv7cZZqAQfSTlEH0I3HYgytHT0lcki8xYn5HDrwAiG86l6PmoDlkmjngOqxw9D6/1wqfUBcDFtw03sPf+Oy6VYvU2IPgpF/VFkAcq2fhon633PaQfoYLwnMfgEaQyCQOXM9rCyerGlL14z6joYbAAWj9uYv0XlZcgv5nbSM+dQfXfu4/EiNwFPR582Z3qsmNQYWP74jq/Hx+x6np67QDg+lnjC8zwiCcieo1Zy+u1syRW29uzqkUgFjqq+8dkq/c+jP9AKrEgAP343FwqQcRGp7movI+LSwJi02t5xBgrFu1UL0NFtEWM+oMKoFKAewP3nP1Zyav1SxuXD9yP3VxhcYKwtgAhDHdDSjWnrNE/f32toKKfrO8cfsaFc2jyshJB7d1AKndRQoUX4GFZJlIFRHeEGsgUfheXGaUAqCff2+dXL/iLukuFqs9gzSMdOZy8rebNqHm6jrLuIGhrk0jJeBO1AJiGEKY9X/h2aeqy4XhxRn4ga91cljjf/7XjRG7Vmns3FCn/88/c5FyO4EmfH1AOJFCUuIhqo5CEGADmX3C76Z0dsrp5cKoAPhxZkge/e3Wus7y0ATAUS7H7wdpSacqUvHTktGfnly08hTleufyZbWYwziyUWXSEAd2B3hWWXTp6uVah4d9QQkXTZsT6cyxeAhGKK4pxLdmVsDwpStPkLtv2PHKBMBx8zo0XIxVbhU+Ll5vBZ6o30CLKXHFqLGj2+dDH2tM4aO5qsY9uKsbL1iusX58f9ZGGkxEBcx5dWeATYPYR7pBfLNPsDuam7vknX6zlHxfQcCF+M+mUvL2DdPkrRseOHwlAIWemiyCDfGvy66RA5F58XnLXPCFRk86fEPLHwOsUUUdFJmYq4mFyLoXrVqiUUbEP2BDCk0EcMfT0oZLiqTzPfU2TKujch68Y7186dy7ZaBSURBwQfzmdFruDPoObxUAB1qJF9xHTAA/nqDNZWtO18JJm/QBJwIIpMBEOHKkrgQARaKF4awBwEhvAdb+4GBJg0AYoBMpIgEAgItMoxqBYX0CsQauttYu/XmG16Yg4DLi/+ibZ8n0Ez93+EqAfV6Ac9II0WKQuS6fU1xtvw5JCDQJw0mSlWtUpwz6eV/a2UUF16xcolKH0my4H6+jnmif2hMi4rKPrnBBq5X9fVlIC3SZNCAmwWUZTCQChuFIYNQy7uJuHNaF2qPndAZk7ywCRzzAIoKXr1lWHfaAj0/a1wJBjQIAEgCpw5r6MxvojAEA19pCDX9Zjc96vA4bYQPB+B42u0BT21QwVVxmFG3H4QwMOZvAQtFqH4xIi3d2dI5p2B8WAMAGQPRTIKLZwrDMi0NZu2pxleBW259Kp5QrG+UFsD6nbDkApM/qFS7+jwpobc2rF1BPaxYAIP/g0tjO4reIIqLfVIALQDmAWEJMDUMNRHmSSblgWUf7IQ4AJW4YV1e/N8zs8cUt6pfNFrRxAg6HEqZzCfPu6e5RDrDkDPeAU42z+NnZ3iTt7U2y/YVudRdd14wr/x4a9sOGEddi4QpAXMjZ1RV6suCYWfLc8z3avjV7Vpd09w7K/z2/R99DRNIVqzjCwKHWmtbW4tq88rm0dPcMamtX716KTl2xC59Tjg+/s3U1W2OrFp6ENQfcn30h+s0eMe9gLBEQewmAfuUL6Eg3uAHRGLZ3czgcaC7fJNTrc2mnTDqlROzdOyh+heoeR/AwGqui1TKF/OzqaJFV73tLtasW/50pGzff+oAMDO0L8XLwHKqqmpAzEbdTp7TJKW+ao4GmRx59RoM/O17c5RpPw8AN3Gnra51COpC3LVkg8+fOUPuAkPB9Dz0m3/nR43WpvbgFbA7WfjQdDKdrkUVYGGJlXxADEEzp6pBd3f1Vd0trCHMZ6e4dkEqlojoZ0ChHhdlEK+niHtOntmrFDn1/NGNSDKojYQaLcuM/P6TWvbbbjSgBAwSWoZw2ZYoMDBWlq71J+pnSlc/I77fv1sCQgXZwyBmm6G+bTuZG0RTVVgA8SLHJnD10sIg4kft6uD8QT4MeoY+NeLQEEezipV1RRyadkZamrBLBLPDBwUFXEBqWbUFIDCcyia4gQ2Tj6tNclXDK0767fNg5OzhQlFtuf7gquq3WALGvQZlQ5x4xc5oaevQMQtD3vuN18o07fqnAs34DVAHiGYljNQ2XXbhcM4Lus75GDJO08Evh4qECrAzMRDnGDYSHo7QQJN+sfrYbjVaWqZ3Nsqd3UGZObZMdO3cp13NZhtAmhPI79DKJG9xEiIENMFykRCyna9zwtQeqARc1wsJqo+r90qigZpk1s1129wzInFldqgIe/sUWLTvX/EBYmczn2S/7IW5BA4q2nxXLGjAChBMJF0+E0+L6Wc+GOtmBI47NoLOAz6yZXbJzz17paGuStuacdHY0yeatu+TII9rliae2q+rQ4ZAjyrQw6JxKEblszTLlfESwjYLp6R2UtraCXHoIjleNKzHHsy8PL8B0vrpEWk7t6gEhKlx11nveLOmMJ317h+V/Htsus2a0y8lvOFIe+sU2efQ3T6voBSyWrbMYOiXjTYVAgzYatmW0KhNBKohp1wHUqGjheL588pkxWsM0Px4adOpaUZ2bCuRn39kXE+cAJxILxwDVhtGKyKUXLldA4BrWU7xhQ6lJU1uiCv2vwRxf5MIVi7QwxRWepNSFxPtwg6kzkzqCJk7Aq+kSccAu/eq8A7gbS3tqV6ecne7Q8WlcjFA7aW3HuLJhJn0w5tasXKzuWrrOaVuoLotbAEy2o2VrYcnamhWLNTmF2nHjYFxRKpFD/n0oTvU8GMCpCQCLv5tnoLGBTCCbt3TL35x44kv28m+VnnFlw46d26EJRlTGhguWu1zCcFmuHqMz+MTXTguo9ScNTA8Ar6d0tkh3z0A4rMkNJCYXgatKIIiWsd6+QTl23kz1IghIEZvY3dMvv3tizys6LlDzyxMyNffQ4uRY1lO6OuWLM+fr+DQuZugxP2882TDrStLhkR9YVK0cHquG/6TXTw/wJADLij99i36GELR6HGVfPRXaz1wEMCPTprTKtt/vqs4hxh1EKuzcvVfmz5ku3793cwKA0USLpmBV74ddOSlnMJAXZ5DyyOuSF54alwQgy2iuGxKgnrn7rz9+SsAkLojP1b9rQAZfGJB0IS19W3vlVUuOVBDc9cNHZXf3QJgwyisYkC4DqINcRppDyZBIgBqKhUEPlirFDiAyx0Vt3K8WvUNn6HExQPHHJzw2LhuANYix431s/OBy9TLg7LGyetd95A8Dm7614zcvyrObXpSZr5kmu7d2S6E9L1NmtsqM107XSmRiDwSsvv7tn6m6YEC1jqlhSlixrGrnlR4Y8ij3IvJnyR+IiitoFbj74wMwmL+vbdph3ICSqdGusZIhtKZjwBF4WrfqFCU+AaKxsog3XndGgCWPtNj9+G7V6Xt3DMhw37Ac/8758vxPnpW5fzxf6xMJ/ry4q1+OmtWpDaKbt7yg4ewTX3eUnPknb5C2lpyc+v6bXtkqAC4kSIaotwYRdL8VPOxPVCJtEB3QWKUw7ldLy+gA2NPTXS2zttZzuB674ogZU6Sro1le2Nknu3YzU8AZhACMhBL3BxxHTG9WYk7paJG3LX2tmyNU8aV0z3bpm5UTnwxjZ15S+bQU+iqSmt9e7Qp61cxWec0xXfL0tl55/YJpWkb+yK+2S6HAlO+SrLnqW69sACABILLG/8PwrzWJjsbRLoXqyqYs5Ercv6lpdAD09u3RlK51ExMcsh7EN7/xaOnpHZJTTpojN9/2iOv2sWETnmsVQz2c/d43S3trQTZt3i4LjnmV5hQQ4doC9oNnJb38CAmeGxD/8R5pe89cBYiNmunrH5b2tibp6ihILpeSQi4jW5/rUYD09A3JtZP4cKqD4dYd6D0POvrx9bXtPMwXwPmWxn3dgtmqm//gxKPkpm/+tDpKplqCFRafEEp284Z5UANP53BVwNotFL5GheHf85MWdZfNEPnd5h0yc3q7zJ7V/pKzeWFnv4anP3/T/Qf9DA6UKFG+v+aXHzkz32blW/Enh0wnEGVY9bZdW1UPALB2801vPUu/62vuvV0ee6qnLkJgN2w8/9S6uo7mMrY2Fbaa+yJPbqtvjSgJMNlr1Tx0e26ObXDgfSX5r2db1IjS6vBwzm49YVvuQWDJHiWH4fflq06Q03+9QG/PFO564wi4pxeuWFzXIEkzcM2WeGpbd10gm2yiRLn+mBLARqbbrHwkgJvxn1Prm9Kweipx+UL4/JY2his72507yfWmh39UdxyBgRZXrF1WV8UxuQarI8SofXJrIgH2B1dNADx+/6XBcbcOVd//xMqCfPeep3Xog45IF6p40nWrAEQ3i1lr10N3rpd3nHO73v9A6urh6g+tPr1mEwjhZR09Exa4aI1jYMMlXHs5huXjTydg4OzHlAC8ASlgT8ogh09Ezc0QoHfOrxm3HxlJHFmBixSwxI3NF8KY29+NrBU/QAJctf60ms8UsjmFFIlgTGq3T1q0itfmD7BuAgDH22MC4Kx3HSe3f/8JfSOvv3HH/2oxJ9Y23cAMXqhlA5j1b1O+uIeFlXEzcQVtSAQA6dqvvr4WAFAlH15bO4KHBCBApWnicE2LL5DSVtAFIpsTdeAAcMOniKz5qtupnbOqHfxogwgFHLhgpFfxvUENrhheALl1yq72vyYaYrX6fZsUonMJM4FcfP4yueGWB6rzijRoNOwmiUzrzMqunlIYo9ivxYvnF3kusIQRmtgDIXl5kIKb3G3PwWW8W9mVUvM4tKFSNc0KCGyUqyZuKr4UmnLVYZAjQTBRAJAptEolRDfRR4i3fPHxcv/Dj2kxKJIEm8J6+q9cd5p84av3qWDT6SNh2bjZAzZhBDAlABhFBWBgGYcgnp/5/ehu075iDKdjtzw7+vt4jrBVDLPcWHoXn/3K9bVFO7pfRVY4vHJ/EW5/10CTJ/LElsTIq8edfIkNgOFmvQCEhrc9V4uwnQFzBLVXr1T7fXCxiXA4dSyioNsvv6i2cWcEJhmFCK8FAK1izoy9Vj0H80p5z0sAYPl5jCj+8PQzowPASrngNLpsn6jhUjFaBiMQt4u4fq37cdg8dPri85e+rEiUZJUNikIE8Npq/wCfNob4+4ZJWxIrkQT1QdjD2NLpYOGkLysA1a4b5vOFEMHQsovkD1XAFtixLKKOcUMv06ETtnjxKZ0rFDaduOcJv9wII05w5bqXqwDtXAqnk2pPX8n1HtpUMTdNzPUUsibSgT1ro4gvsrWGFKvveA7/d2k9gBlH5ia5CeCuC1jHso5ouBzpzvEwSG0JC1XByDSxEUqfGBKOXRmm3SusLGJN1z7mgLTh/FPln775U0e4cHr5xgsWy1dufbA6h9jFEBwQzce3qeU2Rs46nPgu7Cdx98YGsUoA7ckLx6NBIA4RwiLe3aDofQ+B4nb6CNhwYgf/tkfFUqVr9YM2WNIkCs2a2llLircQyON1Jn+sMon76QzjiruHRhUz4Yh7gBEKK32OQThvkCqmWobs4c/b9X1Dzypzddp32C7N4erUDOVSd+DWb8dtjdNtkji/GynidYAUXB/W7Lux8PueJQxQahmY9W07eVejTkAlgOvDd8SGs3kNt9HkCRC0+zcc7aoSoOD66tHNTqeHD5gI9XP14Q6Wig3vjaSx+yQAaBQJJ3afl3gB5mrZLWuJz3reN9Jtg/D7xwrs7xiUSJckMDMxQo730wcdADZVbH+OrwZuwp7+JDkzXhJO7HMNBwBGm831xV3DmLSHQtggCix43EVL22qKOHQXEyBMjKAH+ml9XsD+H3rkM91y7CUZ2fzFsiy81g1BGu13oy0GsXHNXJOm88U1EER6lhEw4QMlLX6vTxUPx8DyMwHAgZJwYu9veImUPTrWCj/ssbFWSYyB6PIDbiyM5ejdkApJvIOJ0fOAP91wANhkcXtYNHEAXuv8HiJ64QOn7PcuCOUeE8Pk0aRw84BpOKEPNBwAE9pN8uHITyABQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7+b/AZovzmIGTS/bAAAAAElFTkSuQmCC"}]}
The file is called crocodile.bbmodel
I am looking for a way to allow users to upload .bbmodel files that is safe so that no web shells or malicious code can sneak its way past the upload can you guys help?
Advertisement
Answer
From what I know there is no magic button that will let you do this. that said the first thing you will want to do is make sure the uploaded file is valid json. check this Fastest way to check if a string is JSON in PHP?
Next you will need to define which fields in json are valid and what types the value should contain. for this I would create a skeleton versioin of the json string and store it a database field. Examining your json further you might need multiple skeletons for the various repeat or nested elements. eg one for meta like this
"meta":{"format_version":"","model_format":"","box_uv":}
you would want another skeleton for elements probably describing the keys for a single ‘element’. and of course validate the textures.source nodes against a base64 encoding.
Next you will want to decide what are acceptable types for each of the field values. compare each field of the submitted json against an acceptable type you define.
once you do all of this validation you can be reasonably sure you have a valid file…I won’t say secure or non-malicious but, done properly it will help you ingest the file without errors.
Still not guaranteed to be ‘secure’ but, it is a reasonable approach and would probably satisfy most due diligence critiques. If anyone can improve and provide more steps or different tricks to secure something like this I’d be glad to hear it.