From a58bbd0d38955aaead103d14a596290850025537 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Thu, 24 Jul 2025 13:47:20 +0100 Subject: [PATCH] Hardening suggestions for Stirling-PDF / allowExternalURLs (#4031) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I've reviewed the recently opened PR ([4013 - url fixes for access issues](https://github.com/Stirling-Tools/Stirling-PDF/pull/4013)) and have identified some area(s) that could benefit from additional hardening measures. These changes should help prevent potential security vulnerabilities and improve overall code quality. Thank you for your consideration! 🧚🤖 Powered by Pixeebot [Feedback](https://ask.pixee.ai/feedback) | [Community](https://pixee-community.slack.com/signup#/domain-signup) | [Docs](https://docs.pixee.ai/) ![](https://d1zaessa2hpsmj.cloudfront.net/pixel/v1/track?writeKey=2PI43jNm7atYvAuK7rJUz3Kcd6A&event=PR_HARDENING%7CStirling-Tools%2FStirling-PDF%7Cd8e1c693dae525e3d4304d5a6116f65fc357fcd9) --------- Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> --- .../java/stirling/software/common/util/FileToPdfTest.java | 5 +++-- .../controller/api/converters/ConvertOfficeController.java | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/common/src/test/java/stirling/software/common/util/FileToPdfTest.java b/app/common/src/test/java/stirling/software/common/util/FileToPdfTest.java index a3df86aee..d939d0a1f 100644 --- a/app/common/src/test/java/stirling/software/common/util/FileToPdfTest.java +++ b/app/common/src/test/java/stirling/software/common/util/FileToPdfTest.java @@ -1,5 +1,6 @@ package stirling.software.common.util; +import java.nio.file.Files; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -47,8 +48,8 @@ public class FileToPdfTest { // Mock the temp file creation to return real temp files try { when(tempFileManager.createTempFile(anyString())) - .thenReturn(File.createTempFile("test", ".pdf")) - .thenReturn(File.createTempFile("test", ".html")); + .thenReturn(Files.createTempFile("test", ".pdf").toFile()) + .thenReturn(Files.createTempFile("test", ".html").toFile()); } catch (IOException e) { throw new RuntimeException(e); } diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertOfficeController.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertOfficeController.java index a581a51d7..651444c69 100644 --- a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertOfficeController.java +++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertOfficeController.java @@ -56,7 +56,7 @@ public class ConvertOfficeController { // Check if the file is HTML and apply sanitization if needed String fileExtension = FilenameUtils.getExtension(originalFilename).toLowerCase(); - if (fileExtension.equals("html") || fileExtension.equals("htm")) { + if ("html".equals(fileExtension) || "htm".equals(fileExtension)) { // Read and sanitize HTML content String htmlContent = new String(inputFile.getBytes(), StandardCharsets.UTF_8); String sanitizedHtml = customHtmlSanitizer.sanitize(htmlContent);