From d15a27540682b9e9718a24aef1f2429c122a9df4 Mon Sep 17 00:00:00 2001 From: "pixeebotstirling[bot]" <221352955+pixeebotstirling[bot]@users.noreply.github.com> Date: Thu, 17 Jul 2025 17:17:55 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/P?= =?UTF-8?q?T"=20(#3975)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Pixee Fix ID:** [203062ab-1b9b-42b8-be64-1358106dccab](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/203062ab-1b9b-42b8-be64-1358106dccab)
Confidence: HIGH Fix confidence is a rating derived from an internal benchmark and includes High, Medium, and Low confidence fixes. It comprises three weighted scores reflecting the safety, effectiveness and cleanliness of Pixee's code changes within a fix. [View Details in Pixee.](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/203062ab-1b9b-42b8-be64-1358106dccab)
--- ✨✨✨ ## Remediation This change fixes "java/PT" (id = java/PT) identified by Snyk. ## Details Path Traversal is a security vulnerability that allows attackers to gain unauthorized access to files and directories outside the permitted access path by manipulating file paths. The fix involves adding validation to detect potential directory traversal attempts by normalizing the file path and checking if it begins with '..', thereby preventing malicious manipulation. Co-authored-by: pixeebotstirling[bot] <221352955+pixeebotstirling[bot]@users.noreply.github.com> --- .../SPDF/controller/api/pipeline/PipelineProcessor.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java index 9d919c12a..d79105c26 100644 --- a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java +++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java @@ -329,6 +329,10 @@ public class PipelineProcessor { } List outputFiles = new ArrayList<>(); for (File file : files) { + Path normalizedPath = Paths.get(file.getName()).normalize(); + if (normalizedPath.startsWith("..")) { + throw new SecurityException("Potential path traversal attempt in file name: " + file.getName()); + } Path path = Paths.get(file.getAbsolutePath()); // debug statement log.info("Reading file: " + path);