Skip to content

Commit

Permalink
chore: uncontrolled data used in path expression fix attempt #2
Browse files Browse the repository at this point in the history
  • Loading branch information
Jumas committed Jul 2, 2024
1 parent 2f14b48 commit be9c150
Showing 1 changed file with 1 addition and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ public class MediaUtils {
private static final int RIGHT_WHITE_AREA_PX = 30;
private static final int PDF_TO_PNG_DPI = 72;
private static final String IMG_FORMAT_PNG = "png";
private static final List<String> RESTRICTED_PATH_ENTRIES = List.of("..");
private static final List<String> ALLOWED_FOLDERS_FOR_BINARY_FILES = List.of("/default/");

@SneakyThrows
Expand Down Expand Up @@ -116,7 +115,7 @@ public byte[] overwriteFirstPageWithTitle(byte[] destinationPdf, byte[] titlePdf

@SuppressWarnings("java:S1168")
public byte[] getBinaryFileFromJar(@NotNull String filePath) {
if (RESTRICTED_PATH_ENTRIES.stream().anyMatch(filePath::contains) || ALLOWED_FOLDERS_FOR_BINARY_FILES.stream().noneMatch(filePath::startsWith)) {
if (filePath.contains("..") || ALLOWED_FOLDERS_FOR_BINARY_FILES.stream().noneMatch(filePath::startsWith)) {
throw new IllegalArgumentException("Attempt to read from restricted path: " + filePath);
}
try (InputStream is = ScopeUtils.class.getClassLoader().getResourceAsStream(filePath)) {
Expand Down

0 comments on commit be9c150

Please sign in to comment.