[P4ADEV-1830] added filename validation to saveToSharedFolder

src/main/java/it/gov/pagopa/pu/fileshare/service/FileService.java

@@ -34,23 +34,32 @@ public void validateFile(MultipartFile ingestionFlowFile, String validFileExt) {
       throw new InvalidFileException("Invalid file");
     }
     String filename = StringUtils.defaultString(ingestionFlowFile.getOriginalFilename());
-    if(!filename.endsWith(validFileExt)){
-      log.debug("Invalid ingestion flow file extension");
-      throw new InvalidFileException("Invalid file extension");
-    }
+    validateFileExtension(validFileExt, filename);
+    validateFilename(filename);
+  }
+
+  private static void validateFilename(String filename) {
     if(Stream.of("..", "\\", "/").anyMatch(filename::contains)){
       log.debug("Invalid ingestion flow filename");
       throw new InvalidFileException("Invalid filename");
     }
   }
 
+  private static void validateFileExtension(String validFileExt, String filename) {
+    if(!filename.endsWith(validFileExt)){
+      log.debug("Invalid ingestion flow file extension");
+      throw new InvalidFileException("Invalid file extension");
+    }
+  }
+
   public void saveToSharedFolder(MultipartFile file, String relativePath){
     if(file==null){
       log.debug("File is mandatory");
       throw new FileUploadException("File is mandatory");
     }
 
     String filename = org.springframework.util.StringUtils.cleanPath(StringUtils.defaultString(file.getOriginalFilename()));
+    validateFilename(filename);
     Path fileLocation = Paths.get(sharedFolderRootPath, relativePath, filename);
     //create missing parent folder, if any
     try {

src/test/java/it/gov/pagopa/pu/fileshare/service/FileServiceTest.java

@@ -74,7 +74,7 @@ void givenInvalidFilenameWhenValidateFileThenInvalidFileException(){
   }
 
   @Test
-  void givenInvalidFileWhenSaveToSharedFolderThenIllegalStateException() {
+  void givenInvalidFileWhenSaveToSharedFolderThenFileUploadException() {
     try (MockedStatic<AESUtils> aesUtilsMockedStatic = Mockito.mockStatic(
       AESUtils.class);
       MockedStatic<Files> filesMockedStatic = Mockito.mockStatic(
@@ -90,7 +90,30 @@ void givenInvalidFileWhenSaveToSharedFolderThenIllegalStateException() {
   }
 
   @Test
-  void givenErrorWhenSaveToSharedFolderThenIllegalStateException() {
+  void givenInvalidFilenameWhenSaveToSharedFolderThenInvalidFileException() {
+    MockMultipartFile file = new MockMultipartFile(
+      "ingestionFlowFile",
+      "../test.txt",
+      MediaType.TEXT_PLAIN_VALUE,
+      "this is a test file".getBytes()
+    );
+
+    try (MockedStatic<AESUtils> aesUtilsMockedStatic = Mockito.mockStatic(
+      AESUtils.class);
+      MockedStatic<Files> filesMockedStatic = Mockito.mockStatic(
+        Files.class)) {
+      try {
+        fileService.saveToSharedFolder(file, "");
+        Assertions.fail("Expected InvalidFileException");
+      } catch (InvalidFileException e) {
+        aesUtilsMockedStatic.verifyNoInteractions();
+        filesMockedStatic.verifyNoInteractions();
+      }
+    }
+  }
+
+  @Test
+  void givenErrorWhenSaveToSharedFolderThenFileUploadException() {
     MockMultipartFile file = new MockMultipartFile(
       "ingestionFlowFile",
       "test.txt",