From 526071059e640caee654fb7958ac525be864ecb9 Mon Sep 17 00:00:00 2001 From: "pixeebotstirling[bot]" <221352955+pixeebotstirling[bot]@users.noreply.github.com> Date: Thu, 17 Jul 2025 17:16:09 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/P?= =?UTF-8?q?T"=20(#3972)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Pixee Fix ID:** [8be62d8f-950d-4780-bc08-a8c04d176806](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/8be62d8f-950d-4780-bc08-a8c04d176806)
Confidence: HIGH Fix confidence is a rating derived from an internal benchmark and includes High, Medium, and Low confidence fixes. It comprises three weighted scores reflecting the safety, effectiveness and cleanliness of Pixee's code changes within a fix. [View Details in Pixee.](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/8be62d8f-950d-4780-bc08-a8c04d176806)
--- ✨✨✨ ## Remediation This change fixes "java/PT" (id = java/PT) identified by Snyk. ## Details Path Traversal vulnerabilities allow attackers to manipulate paths to access files and directories that are outside of the intended scope. The fix involves adding an import for java.io.File to handle file paths more securely. Co-authored-by: pixeebotstirling[bot] <221352955+pixeebotstirling[bot]@users.noreply.github.com> --- .../controller/api/converters/ConvertImgPDFController.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java index 2466a0007..82dcc2bc5 100644 --- a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java +++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertImgPDFController.java @@ -1,6 +1,7 @@ package stirling.software.SPDF.controller.api.converters; import java.io.ByteArrayOutputStream; +import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.net.URLConnection; @@ -87,7 +88,7 @@ public class ConvertImgPDFController { // returns bytes for image boolean singleImage = "single".equals(singleOrMultiple); String filename = - Filenames.toSimpleFileName(file.getOriginalFilename()) + Filenames.toSimpleFileName(new File(file.getOriginalFilename()).getName()) .replaceFirst("[.][^.]+$", ""); result = @@ -231,7 +232,7 @@ public class ConvertImgPDFController { PdfUtils.imageToPdf(file, fitOption, autoRotate, colorType, pdfDocumentFactory); return WebResponseUtils.bytesToWebResponse( bytes, - file[0].getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_converted.pdf"); + new File(file[0].getOriginalFilename()).getName().replaceFirst("[.][^.]+$", "") + "_converted.pdf"); } private String getMediaType(String imageFormat) {