saulteafarmer/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Stirling-Tools/Stirling-PDF.git synced 2025-07-23 13:45:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

(Snyk) Fixed finding: "java/PT" (#3974)

Browse Source 
**Pixee Fix ID:**
[dab7f6f1-da39-4654-a537-2de8eee936db](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/dab7f6f1-da39-4654-a537-2de8eee936db)

<details>
  <summary>Confidence: <b>HIGH</b></summary>

Fix confidence is a rating derived from an internal benchmark and
includes High, Medium, and Low confidence fixes. It comprises three
weighted scores reflecting the safety, effectiveness and cleanliness of
Pixee's code changes within a fix. [View Details in
Pixee.](https://stirlingpdf.getpixee.com/analysis/3c9d2b94-57c2-4525-9776-c5cd149902c4/fix/dab7f6f1-da39-4654-a537-2de8eee936db)
</details>

---



## Remediation

This change fixes "java/PT" (id = java/PT) identified by Snyk.

## Details

Path Traversal is a security vulnerability that allows attackers to
access files and directories stored outside the web root folder. The
impact can include unauthorized access to sensitive files. The fix
involved adding validation checks on filenames to ensure they do not
contain suspicious patterns like '..' or '/' which are indicative of
path traversal attempts.

Co-authored-by: pixeebotstirling[bot] <221352955+pixeebotstirling[bot]@users.noreply.github.com>
This commit is contained in:
pixeebotstirling[bot] 2025-07-17 17:17:11 +01:00 committed by GitHub
parent 76d150289e
commit ed894f021b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/core/src/main/java/stirling/software/SPDF/controller/api/misc/StampController.java
View File

@ -42,6 +42,7 @@ import stirling.software.common.service.CustomPDFDocumentFactory;
import stirling.software.common.util.TempFile; import stirling.software.common.util.TempFile;
import stirling.software.common.util.TempFileManager; import stirling.software.common.util.TempFileManager;
import stirling.software.common.util.WebResponseUtils; import stirling.software.common.util.WebResponseUtils;
import java.lang.IllegalArgumentException;
@RestController @RestController
@RequestMapping("/api/v1/misc") @RequestMapping("/api/v1/misc")
@ -62,9 +63,18 @@ public class StampController {
public ResponseEntity<byte[]> addStamp(@ModelAttribute AddStampRequest request) public ResponseEntity<byte[]> addStamp(@ModelAttribute AddStampRequest request)
throws IOException, Exception { throws IOException, Exception {
MultipartFile pdfFile = request.getFileInput(); MultipartFile pdfFile = request.getFileInput();
String pdfFileName = pdfFile.getOriginalFilename();
if (pdfFileName.contains("..") || pdfFileName.startsWith("/")) {
throw new IllegalArgumentException("Invalid PDF file path");
}
String stampType = request.getStampType(); String stampType = request.getStampType();
String stampText = request.getStampText(); String stampText = request.getStampText();
MultipartFile stampImage = request.getStampImage(); MultipartFile stampImage = request.getStampImage();
String stampImageName = stampImage.getOriginalFilename();
if (stampImageName.contains("..") || stampImageName.startsWith("/")) {
throw new IllegalArgumentException("Invalid stamp image file path");
}
String alphabet = request.getAlphabet(); String alphabet = request.getAlphabet();
float fontSize = request.getFontSize(); float fontSize = request.getFontSize();
float rotation = request.getRotation(); float rotation = request.getRotation();