From be9c1501a89db6959c9c4de49950c872733fce66 Mon Sep 17 00:00:00 2001
From: e551763 <alexander.nikonoff@sbb.ch>
Date: Tue, 2 Jul 2024 11:49:01 +0200
Subject: [PATCH] chore: uncontrolled data used in path expression fix attempt
 #2

---
 .../sbb/polarion/extension/pdf/exporter/util/MediaUtils.java   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main/java/ch/sbb/polarion/extension/pdf/exporter/util/MediaUtils.java b/src/main/java/ch/sbb/polarion/extension/pdf/exporter/util/MediaUtils.java
index e180383..9e22da1 100644
--- a/src/main/java/ch/sbb/polarion/extension/pdf/exporter/util/MediaUtils.java
+++ b/src/main/java/ch/sbb/polarion/extension/pdf/exporter/util/MediaUtils.java
@@ -29,7 +29,6 @@ public class MediaUtils {
     private static final int RIGHT_WHITE_AREA_PX = 30;
     private static final int PDF_TO_PNG_DPI = 72;
     private static final String IMG_FORMAT_PNG = "png";
-    private static final List<String> RESTRICTED_PATH_ENTRIES = List.of("..");
     private static final List<String> ALLOWED_FOLDERS_FOR_BINARY_FILES = List.of("/default/");
 
     @SneakyThrows
@@ -116,7 +115,7 @@ public byte[] overwriteFirstPageWithTitle(byte[] destinationPdf, byte[] titlePdf
 
     @SuppressWarnings("java:S1168")
     public byte[] getBinaryFileFromJar(@NotNull String filePath) {
-        if (RESTRICTED_PATH_ENTRIES.stream().anyMatch(filePath::contains) || ALLOWED_FOLDERS_FOR_BINARY_FILES.stream().noneMatch(filePath::startsWith)) {
+        if (filePath.contains("..") || ALLOWED_FOLDERS_FOR_BINARY_FILES.stream().noneMatch(filePath::startsWith)) {
             throw new IllegalArgumentException("Attempt to read from restricted path: " + filePath);
         }
         try (InputStream is = ScopeUtils.class.getClassLoader().getResourceAsStream(filePath)) {