Fix code scanning alert no. 1: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
asteriskiry · Dec 29, 2024 · c313e29 · c313e29
1 parent 5a254f7
commit c313e29
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/main/java/fi/asteriski/eventsignup/service/event/ImageServiceImpl.java b/src/main/java/fi/asteriski/eventsignup/service/event/ImageServiceImpl.java
@@ -37,6 +37,9 @@ public class ImageServiceImpl implements ImageService {
 
     @Override
     public byte[] getBannerImage(String fileName) {
+        if (fileName.contains("..") || fileName.contains("/") || fileName.contains("\\")) {
+            throw new IllegalArgumentException("Invalid filename");
+        }
         File filePath = new File(String.format(FILE_PATH_TEMPLATE, rootPath, fileName));
         if (!filePath.canRead()) {
             log.info(String.format("%s Requested file %s doesn't exist and/or cannot be read.", LOG_PREFIX, fileName));