addressing https://github.com/SAP/sailing-analytics/security/code-scanning/143; throwing IllegalArgumentException in case the user-provided file extension contains offending characters

Axel Uhl commited 2026-02-10 11:18:42 +0100 commit c4d99efc53325ef905598443cd614118c4c06119

				java/com.sap.sse.filestorage/src/com/sap/sse/filestorage/impl/LocalFileStorageServiceImpl.java
			
          @@ -17,6 +17,7 @@ import org.apache.shiro.authz.UnauthorizedException;

           import org.osgi.framework.BundleContext;

           import com.sap.sailing.domain.common.security.SecuredDomainType;

          +import com.sap.sse.common.Util;

           import com.sap.sse.common.Util.Pair;

           import com.sap.sse.filestorage.FileStorageService;

           import com.sap.sse.filestorage.FileStorageServiceProperty;

          @@ -41,8 +42,6 @@ import com.sap.sse.security.shared.TypeRelativeObjectIdentifier;

            * @author Jan Broß

            *

            */

          -

          -

           public class LocalFileStorageServiceImpl extends BaseFileStorageServiceImpl implements FileStorageService {

               private static final long serialVersionUID = -8661781258137340835L;

               private static final String testFile = "Bundesliga2014_Regatta6_eventteaser.jpg";

          @@ -62,6 +61,9 @@ public class LocalFileStorageServiceImpl extends BaseFileStorageServiceImpl impl

               @Override

               public URI storeFile(InputStream is, String fileExtension, long lengthInBytes)

                       throws IOException, UnauthorizedException {

          +        if (Util.hasLength(fileExtension) && (fileExtension.contains("..") || fileExtension.contains("/") || fileExtension.contains("\\"))) {

          +            throw new IllegalArgumentException("File extension must not contain '..' or a file separator like '/'.");

          +        }

                   String fileName = getKey(fileExtension);

                   String pathToFile = localPath.getValue() + "/" + fileName;

                   return getSecurityService().setOwnershipCheckPermissionForObjectCreationAndRevertOnError(SecuredDomainType.FILE_STORAGE,

...	...	@@ -17,6 +17,7 @@ import org.apache.shiro.authz.UnauthorizedException;
17	17	import org.osgi.framework.BundleContext;
18	18
19	19	import com.sap.sailing.domain.common.security.SecuredDomainType;
	20	+import com.sap.sse.common.Util;
20	21	import com.sap.sse.common.Util.Pair;
21	22	import com.sap.sse.filestorage.FileStorageService;
22	23	import com.sap.sse.filestorage.FileStorageServiceProperty;
...	...	@@ -41,8 +42,6 @@ import com.sap.sse.security.shared.TypeRelativeObjectIdentifier;
41	42	* @author Jan Broß
42	43	*
43	44	*/
44		-
45		-
46	45	public class LocalFileStorageServiceImpl extends BaseFileStorageServiceImpl implements FileStorageService {
47	46	private static final long serialVersionUID = -8661781258137340835L;
48	47	private static final String testFile = "Bundesliga2014_Regatta6_eventteaser.jpg";
...	...	@@ -62,6 +61,9 @@ public class LocalFileStorageServiceImpl extends BaseFileStorageServiceImpl impl
62	61	@Override
63	62	public URI storeFile(InputStream is, String fileExtension, long lengthInBytes)
64	63	throws IOException, UnauthorizedException {
	64	+ if (Util.hasLength(fileExtension) && (fileExtension.contains("..") \|\| fileExtension.contains("/") \|\| fileExtension.contains("\\"))) {
	65	+ throw new IllegalArgumentException("File extension must not contain '..' or a file separator like '/'.");
	66	+ }
65	67	String fileName = getKey(fileExtension);
66	68	String pathToFile = localPath.getValue() + "/" + fileName;
67	69	return getSecurityService().setOwnershipCheckPermissionForObjectCreationAndRevertOnError(SecuredDomainType.FILE_STORAGE,