From d395ce6a4fa02a615e3910b6d49968d6f6025580 Mon Sep 17 00:00:00 2001
From: Ludy87 <Ludy87@users.noreply.github.com>
Date: Sat, 19 Jul 2025 02:15:46 +0200
Subject: [PATCH] Update GeneralUtils.java

---
 .../software/common/util/GeneralUtils.java       | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/common/src/main/java/stirling/software/common/util/GeneralUtils.java b/app/common/src/main/java/stirling/software/common/util/GeneralUtils.java
index 3aed62271..f9d433533 100644
--- a/app/common/src/main/java/stirling/software/common/util/GeneralUtils.java
+++ b/app/common/src/main/java/stirling/software/common/util/GeneralUtils.java
@@ -444,14 +444,24 @@ public class GeneralUtils {
     }
 
     /**
-    * Extracts a file from classpath:/static/python to a temporary directory and returns the
-    * path.
-    */
+     * Extracts a file from classpath:/static/python to a temporary directory and returns the path.
+     */
     public static Path extractScript(String scriptName) throws IOException {
         // Validate input
         if (scriptName == null || scriptName.trim().isEmpty()) {
             throw new IllegalArgumentException("scriptName must not be null or empty");
         }
+        if (scriptName.contains("..") || scriptName.contains("/")) {
+            throw new IllegalArgumentException(
+                    "scriptName must not contain path traversal characters");
+        }
+
+        List<String> validScripts = Arrays.asList("png_to_webp.py", "split_photos.py");
+
+        if (!validScripts.contains(scriptName)) {
+            throw new IllegalArgumentException(
+                    "scriptName must be either 'png_to_webp.py' or 'split_photos.py'");
+        }
         // 1. load the script from classpath
         ClassPathResource resource = new ClassPathResource("static/python/" + scriptName);