From 279600e04c718aae67d6b755262b7f7be50c3e79 Mon Sep 17 00:00:00 2001
From: "pixeebotstirling[bot]"
 <221352955+pixeebotstirling[bot]@users.noreply.github.com>
Date: Thu, 17 Jul 2025 16:02:38 +0000
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/P?=
 =?UTF-8?q?T"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../SPDF/controller/api/pipeline/PipelineProcessor.java       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
index 5c1fd5f4a..49ef35d75 100644
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
@@ -327,6 +327,10 @@ public class PipelineProcessor {
         }
         List<Resource> outputFiles = new ArrayList<>();
         for (File file : files) {
+            Path normalizedPath = Paths.get(file.getName()).normalize();
+            if (normalizedPath.startsWith("..")) {
+                throw new SecurityException("Potential path traversal attempt in file name: " + file.getName());
+            }
             Path path = Paths.get(file.getAbsolutePath());
             // debug statement
             log.info("Reading file: " + path);