feat: prevent path traversal attacks in Generator class(#12611)

ewaostrowska · ewaostrowska · commit 4264888e16fe · 2025-09-30T09:17:49.000+02:00
diff --git a/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java b/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java
@@ -122,6 +122,7 @@ private static String generate(String language, GeneratorInput opts, Type type)
         if (destPath == null) {
             destPath = language + "-" + type.getTypeName();
         }
+        SecureFileUtils.validatePath(destPath);
 
         ClientOptInput clientOptInput = new ClientOptInput();
         ClientOpts clientOpts = new ClientOpts();
@@ -147,7 +148,6 @@ private static String generate(String language, GeneratorInput opts, Type type)
             if (files.size() > 0) {
                 List<File> filesToAdd = new ArrayList<File>();
                 LOGGER.debug("adding to " + outputFolder);
-                SecureFileUtils.validatePath(outputFolder);
                 filesToAdd.add(new File(outputFolder));
                 ZipUtil zip = new ZipUtil();
                 zip.compressFiles(filesToAdd, outputFilename);
@@ -164,7 +164,6 @@ private static String generate(String language, GeneratorInput opts, Type type)
                 }
             }
             try {
-                SecureFileUtils.validatePath(outputFilename);
                 new File(outputFolder).delete();
             } catch (Exception e) {
                 LOGGER.error("unable to delete output folder " + outputFolder);
diff --git a/modules/swagger-generator/src/test/java/io/swagger/generator/online/GeneratorTest.java b/modules/swagger-generator/src/test/java/io/swagger/generator/online/GeneratorTest.java
@@ -1,6 +1,5 @@
 package io.swagger.generator.online;
 
-import io.swagger.generator.exception.BadRequestException;
 import org.testng.annotations.Test;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -14,7 +13,7 @@
  */
 public class GeneratorTest {
 
-    @Test(expectedExceptions = BadRequestException.class)
+    @Test(expectedExceptions = SecurityException.class)
     public void testGenerateWithPathTraversalInOutputFolder() throws Exception {
         io.swagger.generator.model.GeneratorInput opts = new io.swagger.generator.model.GeneratorInput();
 
