Cleanse API input params

eclipse-pass · Dec 18, 2024 · d05660f · d05660f
1 parent 69fced2
commit d05660f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/...e-file-service/src/main/java/org/eclipse/pass/file/service/PassFileServiceController.java b/...e-file-service/src/main/java/org/eclipse/pass/file/service/PassFileServiceController.java
@@ -103,11 +103,14 @@ public ResponseEntity<?> fileUpload(@RequestParam("file") MultipartFile file, Pr
     @ResponseBody
     public ResponseEntity<?> getFileById(@PathVariable("uuid") String uuid,
                                          @PathVariable("origFileName") String origFileName) {
-        String fileId = uuid  + "/" + origFileName;
         if (StringUtils.isEmpty(uuid) || StringUtils.isEmpty(origFileName)) {
             LOG.error("File ID not provided to get a file.");
             return ResponseEntity.badRequest().body("File ID not provided to get a file.");
         }
+        String cleansedUuid = StringUtils.normalizeSpace(uuid);
+        String cleansedOrigFileName = StringUtils.normalizeSpace(origFileName);
+        String fileId = cleansedUuid  + "/" + cleansedOrigFileName;
+
         ByteArrayResource fileResource;
         String contentType = "";
 
@@ -141,7 +144,9 @@ public ResponseEntity<?> deleteFileById(@PathVariable("uuid") String uuid,
                                             @PathVariable("origFileName") String origFileName,
                                             Principal principal, HttpServletRequest request) {
         String principalName = principal.getName();
-        String fileId = uuid  + "/" + origFileName;
+        String cleansedUuid = StringUtils.normalizeSpace(uuid);
+        String cleansedOrigFileName = StringUtils.normalizeSpace(origFileName);
+        String fileId = cleansedUuid  + "/" + cleansedOrigFileName;
 
         //Get the file, check that it exists, and then check if current user has permissions to delete
         try {

diff --git a/...-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java b/...-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java
@@ -172,9 +172,7 @@ public ByteArrayResource getFile(String fileId) throws IOException {
             }
             // the output path for getObject must not exist, hence temp dir is created on the fly
             ocflRepository.getObject(ObjectVersionId.head(fileId), tempLoadDir);
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("File Service: File with ID {} was loaded from the repo", StringUtils.normalizeSpace(fileId));
-            }
+            LOG.debug("File Service: File with ID {} was loaded from the repo", fileId);
             Path fileNamePath = Objects.requireNonNull(tempLoadDir.toFile().listFiles())[0].toPath();
             loadedResource = new ByteArrayResource(Files.readAllBytes(fileNamePath));