From 3660c3f74630deb915983e1afcefc332fc7590c8 Mon Sep 17 00:00:00 2001
From: quactv <51528368+tranquac@users.noreply.github.com>
Date: Fri, 27 Mar 2026 23:08:43 +0700
Subject: [PATCH] fix: prevent path traversal in file download endpoint

Signed-off-by: tranquac <tranquac@users.noreply.github.com>
---
 src/main/java/org/cellocad/api/FileController.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/cellocad/api/FileController.java b/src/main/java/org/cellocad/api/FileController.java
index 66674347..df6a63d4 100644
--- a/src/main/java/org/cellocad/api/FileController.java
+++ b/src/main/java/org/cellocad/api/FileController.java
@@ -137,7 +137,10 @@ String getResultFile(
         }
         String username = auth.getUsername(basic);
 
-
+        // Prevent path traversal: reject filenames with directory separators or parent references
+        if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
+            throw new CelloNotFoundException("invalid filename");
+        }
 
         if(filename.endsWith(".png") || filename.endsWith(".pdf")) {
             String filePath = _resultPath + "/" + username + "/" + jobid + "/" + filename;