From 76d150289e97d8be471a30af6d500fc80bb31cd1 Mon Sep 17 00:00:00 2001
From: "pixeebotstirling[bot]"
 <221352955+pixeebotstirling[bot]@users.noreply.github.com>
Date: Thu, 17 Jul 2025 17:16:50 +0100
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/S?=
 =?UTF-8?q?srf"=20(#3973)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Pixee Fix ID:**
[54568072-e1ef-4428-9da3-46b9197f6dcd](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/54568072-e1ef-4428-9da3-46b9197f6dcd)

<details>
  <summary>Confidence: <b>HIGH</b></summary>

Fix confidence is a rating derived from an internal benchmark and
includes High, Medium, and Low confidence fixes. It comprises three
weighted scores reflecting the safety, effectiveness and cleanliness of
Pixee's code changes within a fix. [View Details in
Pixee.](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/54568072-e1ef-4428-9da3-46b9197f6dcd)
</details>

---

✨✨✨

## Remediation

This change fixes "java/Ssrf" (id = java/Ssrf) identified by Snyk.

## Details

Server-Side Request Forgery (SSRF) can allow attackers to make
unauthorized requests from the server, potentially accessing sensitive
internal systems. The fix involved adding a validation check to ensure
that the 'operation' parameter matches a safe regex pattern, thereby
preventing such vulnerabilities.

Co-authored-by: pixeebotstirling[bot] <221352955+pixeebotstirling[bot]@users.noreply.github.com>
---
 .../SPDF/controller/api/pipeline/PipelineProcessor.java       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
index 5c1fd5f4a..9d919c12a 100644
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
@@ -108,7 +108,9 @@ public class PipelineProcessor {
             if (inputFileTypes == null) {
                 inputFileTypes = new ArrayList<String>(Arrays.asList("ALL"));
             }
-            // List outputFileTypes = apiDocService.getExtensionTypes(true, operation);
+            if (!operation.matches("^[a-zA-Z0-9_-]+$")) {
+                throw new IllegalArgumentException("Invalid operation value received.");
+            }
             String url = getBaseUrl() + operation;
             List<Resource> newOutputFiles = new ArrayList<>();
             if (!isMultiInputOperation) {