From 8013e28b803ea3a61e9ce5ea7aecdc354c428ab7 Mon Sep 17 00:00:00 2001 From: "pixeebotstirling[bot]" <221352955+pixeebotstirling[bot]@users.noreply.github.com> Date: Thu, 17 Jul 2025 16:04:15 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(Snyk)=20Fixed=20finding:=20"java/P?= =?UTF-8?q?T"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controller/api/security/WatermarkController.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java index 47a53a4f9..fd5a9b288 100644 --- a/app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java +++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java @@ -74,9 +74,19 @@ public class WatermarkController { public ResponseEntity addWatermark(@ModelAttribute AddWatermarkRequest request) throws IOException, Exception { MultipartFile pdfFile = request.getFileInput(); + String pdfFileName = pdfFile.getOriginalFilename(); + if (pdfFileName != null && (pdfFileName.contains("..") || pdfFileName.startsWith("/"))) { + throw new SecurityException("Invalid file path in pdfFile"); + } String watermarkType = request.getWatermarkType(); String watermarkText = request.getWatermarkText(); MultipartFile watermarkImage = request.getWatermarkImage(); + if (watermarkImage != null) { + String watermarkImageFileName = watermarkImage.getOriginalFilename(); + if (watermarkImageFileName != null && (watermarkImageFileName.contains("..") || watermarkImageFileName.startsWith("/"))) { + throw new SecurityException("Invalid file path in watermarkImage"); + } + } String alphabet = request.getAlphabet(); float fontSize = request.getFontSize(); float rotation = request.getRotation();