From d15a27540682b9e9718a24aef1f2429c122a9df4 Mon Sep 17 00:00:00 2001
From: "pixeebotstirling[bot]"
 <221352955+pixeebotstirling[bot]@users.noreply.github.com>
Date: Thu, 17 Jul 2025 17:17:55 +0100
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/P?=
 =?UTF-8?q?T"=20(#3975)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Pixee Fix ID:**
[203062ab-1b9b-42b8-be64-1358106dccab](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/203062ab-1b9b-42b8-be64-1358106dccab)

<details>
  <summary>Confidence: <b>HIGH</b></summary>

Fix confidence is a rating derived from an internal benchmark and
includes High, Medium, and Low confidence fixes. It comprises three
weighted scores reflecting the safety, effectiveness and cleanliness of
Pixee's code changes within a fix. [View Details in
Pixee.](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/203062ab-1b9b-42b8-be64-1358106dccab)
</details>

---

✨✨✨

## Remediation

This change fixes "java/PT" (id = java/PT) identified by Snyk.

## Details

Path Traversal is a security vulnerability that allows attackers to gain
unauthorized access to files and directories outside the permitted
access path by manipulating file paths. The fix involves adding
validation to detect potential directory traversal attempts by
normalizing the file path and checking if it begins with '..', thereby
preventing malicious manipulation.

Co-authored-by: pixeebotstirling[bot] <221352955+pixeebotstirling[bot]@users.noreply.github.com>
---
 .../SPDF/controller/api/pipeline/PipelineProcessor.java       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
index 9d919c12a..d79105c26 100644
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
@@ -329,6 +329,10 @@ public class PipelineProcessor {
         }
         List<Resource> outputFiles = new ArrayList<>();
         for (File file : files) {
+            Path normalizedPath = Paths.get(file.getName()).normalize();
+            if (normalizedPath.startsWith("..")) {
+                throw new SecurityException("Potential path traversal attempt in file name: " + file.getName());
+            }
             Path path = Paths.get(file.getAbsolutePath());
             // debug statement
             log.info("Reading file: " + path);