3466 Add Security Notes

Author: ivicac

server/ee/libs/automation/automation-configuration/automation-configuration-service/src/main/java/com/bytechef/ee/automation/configuration/facade/ProjectCodeWorkflowFacadeImpl.java

@@ -38,7 +38,6 @@
 @Service
 @Transactional
 @ConditionalOnEEVersion
-@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public class ProjectCodeWorkflowFacadeImpl implements ProjectCodeWorkflowFacade {
 
     private final CacheManager cacheManager;
@@ -101,6 +100,11 @@ private Project createProject(long workspaceId, ProjectDefinition projectDefinit
         return projectService.create(project);
     }
 
+    /**
+     * Security Note: PATH_TRAVERSAL_IN - Temporary files are created with system-generated names in the temp directory,
+     * not user-controlled paths. Access is restricted to administrators.
+     */
+    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     private ProjectDefinition loadProjectDefinition(Language language, byte[] bytes) throws IOException {
         Path path = Files.createTempFile("code_workflow_project", language.getExtension());
 

server/ee/libs/platform/platform-custom-component/platform-custom-component-configuration/platform-custom-component-configuration-service/src/main/java/com/bytechef/ee/platform/customcomponent/configuration/facade/CustomComponentFacadeImpl.java

@@ -36,7 +36,6 @@
 @Service
 @Transactional
 @ConditionalOnEEVersion
-@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public class CustomComponentFacadeImpl implements CustomComponentFacade {
 
     private final CacheManager cacheManager;
@@ -104,6 +103,11 @@ private void create(
         customComponentService.create(customComponent);
     }
 
+    /**
+     * Security Note: PATH_TRAVERSAL_IN - Temporary files are created with system-generated names in the temp directory,
+     * not user-controlled paths. Access is restricted to administrators.
+     */
+    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     private ComponentDefinition loadComponentDefinition(Language language, byte[] bytes) throws IOException {
         Path path = Files.createTempFile("custom_component", language.getExtension());
 

server/ee/libs/platform/platform-custom-component/platform-custom-component-loader/src/main/java/com/bytechef/ee/platform/customcomponent/loader/ComponentHandlerLoader.java

@@ -22,9 +22,13 @@
  *
  * @author Ivica Cardic
  */
-@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public class ComponentHandlerLoader {
 
+    /**
+     * Security Note: PATH_TRAVERSAL_IN - URL comes from internal file storage after admin upload, not direct user
+     * input. Access is controlled through admin-only upload permissions.
+     */
+    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     public static ComponentHandler loadComponentHandler(
         URL url, Language language, String cacheKey, CacheManager cacheManager) {
 
@@ -48,6 +52,11 @@ private static ComponentHandler loadJavaComponentHandler(
         }
     }
 
+    /**
+     * Security Note: PATH_TRAVERSAL_IN - URL comes from internal file storage after admin upload, not direct user
+     * input.
+     */
+    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     private static ComponentHandler loadPolyglotComponentHandler(URL url, Language language)
         throws URISyntaxException, IOException {
 

server/libs/atlas/atlas-configuration/atlas-configuration-repository/atlas-configuration-repository-git/src/main/java/com/bytechef/atlas/configuration/repository/git/operations/JGitWorkflowOperations.java

@@ -62,7 +62,6 @@
  * @author Arik Cohen
  * @author Ivica Cardic
  */
-@SuppressFBWarnings("PATH_TRAVERSAL_IN")
 public class JGitWorkflowOperations implements GitWorkflowOperations {
 
     private static final Logger log = LoggerFactory.getLogger(JGitWorkflowOperations.class);
@@ -155,8 +154,14 @@ public List<String> getRemoteBranches() {
         }
     }
 
+    /**
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. Paths are derived from Git repository contents,
+     * not external user input. Access is controlled through Git authentication credentials.
+     */
     @Override
-    @SuppressFBWarnings("REC_CATCH_EXCEPTION")
+    @SuppressFBWarnings({
+        "REC_CATCH_EXCEPTION", "PATH_TRAVERSAL_IN"
+    })
     public String write(List<WorkflowResource> workflowResources, String commitMessage) {
         ReentrantLock lock = getTenantLock();
         try {
@@ -347,6 +352,11 @@ private WorkflowResource readBlob(Repository repository, String path, String blo
         }
     }
 
+    /**
+     * Security Note: PATH_TRAVERSAL_IN - Repository directory is created in a system temp location with a generated
+     * name, not user-controlled paths.
+     */
+    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     private void clear() {
         if (repositoryDir != null) {
             org.springframework.util.FileSystemUtils.deleteRecursively(repositoryDir);
@@ -356,6 +366,7 @@ private void clear() {
 
         try {
             String tenantKey = TenantCacheKeyUtils.getKey("git");
+
             path = Files.createTempDirectory("jgit_" + tenantKey + "_");
         } catch (IOException e) {
             throw new RuntimeException(e);

server/libs/modules/components/aws/aws-s3/src/main/java/com/bytechef/component/aws/s3/action/AwsS3ListObjectsAction.java

@@ -66,12 +66,9 @@ public class AwsS3ListObjectsAction {
         .perform(AwsS3ListObjectsAction::perform);
 
     /**
-     * Performs the S3 list objects operation.
-     *
-     * <p>
-     * <b>Security Note:</b> Path traversal is intentional for this component. The AWS S3 component is designed to allow
-     * workflow creators to list S3 objects as part of their automation workflows. The prefix is provided by the
-     * workflow creator, not end users, and access is controlled by AWS IAM credentials configured in the connection.
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. The AWS S3 component allows workflow creators
+     * to list S3 objects. The prefix is provided by the workflow creator, not end users. Access is controlled by AWS
+     * IAM credentials configured in the connection.
      */
     @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     protected static List<S3ObjectDescription> perform(

server/libs/modules/components/filesystem/src/main/java/com/bytechef/component/filesystem/action/FilesystemGetParentFolderAction.java

@@ -54,18 +54,9 @@ private FilesystemGetParentFolderAction() {
     }
 
     /**
-     * Gets the full path from a full filename, which is the prefix + path, and also excluding the final directory
-     * separator.
-     *
-     * <p>
-     * This method will handle a file in either Unix or Windows format. The method is entirely text based and returns
-     * the text before the last forward or backslash.
-     *
-     * <p>
-     * <b>Security Note:</b> Path traversal is intentional for this component. The Filesystem component is designed to
-     * allow workflow creators to access file paths as part of their automation workflows. Access to this component
-     * should be restricted through workflow-level permissions and proper access control. The file path is provided by
-     * the workflow creator, not end users.
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. The Filesystem component allows workflow
+     * creators to access file paths. Access is controlled through workflow-level permissions. The file path is provided
+     * by the workflow creator, not end users.
      */
     @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     protected static String perform(

server/libs/modules/components/filesystem/src/main/java/com/bytechef/component/filesystem/action/FilesystemLsAction.java

@@ -77,12 +77,8 @@ private FilesystemLsAction() {
     }
 
     /**
-     * Lists files at the given path.
-     *
-     * <p>
-     * <b>Security Note:</b> Path traversal is intentional for this component. The Filesystem component is designed to
-     * allow workflow creators to access files and directories as part of their automation workflows. Access to this
-     * component should be restricted through workflow-level permissions and proper access control. The path is provided
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. The Filesystem component allows workflow
+     * creators to list files/directories. Access is controlled through workflow-level permissions. The path is provided
      * by the workflow creator, not end users.
      */
     @SuppressFBWarnings("PATH_TRAVERSAL_IN")

server/libs/modules/components/filesystem/src/main/java/com/bytechef/component/filesystem/action/FilesystemMkdirAction.java

@@ -54,16 +54,9 @@ private FilesystemMkdirAction() {
     }
 
     /**
-     * Creates a directory by creating all nonexistent parent directories first.
-     *
-     * <p>
-     * An exception is not thrown if the directory could not be created because it already exists.
-     *
-     * <p>
-     * <b>Security Note:</b> Path traversal is intentional for this component. The Filesystem component is designed to
-     * allow workflow creators to create directories as part of their automation workflows. Access to this component
-     * should be restricted through workflow-level permissions and proper access control. The path is provided by the
-     * workflow creator, not end users.
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. The Filesystem component allows workflow
+     * creators to create directories. Access is controlled through workflow-level permissions. The path is provided by
+     * the workflow creator, not end users.
      */
     @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     protected static String perform(

server/libs/modules/components/filesystem/src/main/java/com/bytechef/component/filesystem/action/FilesystemReadFileAction.java

@@ -54,13 +54,9 @@ private FilesystemReadFileAction() {
     }
 
     /**
-     * Reads the file at the given path.
-     *
-     * <p>
-     * <b>Security Note:</b> Path traversal is intentional for this component. The Filesystem component is designed to
-     * allow workflow creators to access files as part of their automation workflows. Access to this component should be
-     * restricted through workflow-level permissions and proper access control. The file path is provided by the
-     * workflow creator, not end users.
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. The Filesystem component allows workflow
+     * creators to access files. Access is controlled through workflow-level permissions. The file path is provided by
+     * the workflow creator, not end users.
      */
     @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     protected static FileEntry perform(

server/libs/modules/components/filesystem/src/main/java/com/bytechef/component/filesystem/action/FilesystemRmAction.java

@@ -59,16 +59,9 @@ private FilesystemRmAction() {
     }
 
     /**
-     * Deletes a file, never throwing an exception. If a file is a directory, delete it and all subdirectories.
-     *
-     * <p>
-     * A directory to be deleted does not have to be empty.
-     *
-     * <p>
-     * <b>Security Note:</b> Path traversal is intentional for this component. The Filesystem component is designed to
-     * allow workflow creators to delete files and directories as part of their automation workflows. Access to this
-     * component should be restricted through workflow-level permissions and proper access control. The path is provided
-     * by the workflow creator, not end users.
+     * Security Note: PATH_TRAVERSAL_IN - Path traversal is intentional. The Filesystem component allows workflow
+     * creators to delete files/directories. Access is controlled through workflow-level permissions. The path is
+     * provided by the workflow creator, not end users.
      */
     @SuppressFBWarnings("PATH_TRAVERSAL_IN")
     protected static Boolean perform(