feat: prevent path traversal attacks

ewaostrowska · ewaostrowska · commit d5a7c087ffdc · 2025-09-19T15:16:44.000+02:00
diff --git a/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java b/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java
@@ -3566,7 +3566,7 @@ public boolean shouldOverwrite(String filename) {
         try {
             SecureFileUtils.validatePath(filename);
         } catch (SecurityException e) {
-            return false;
+            return true;
         }
         return !(skipOverwrite && new File(filename).exists());
     }
@@ -3833,12 +3833,15 @@ public void writeOptional(String outputFolder, SupportingFile supportingFile) {
         }
         try {
             SecureFileUtils.validatePath(folder);
-            if (!new File(folder).exists()) {
+            if(!new File(folder).exists()) {
+                supportingFiles.add(supportingFile);
+            } else {
                 LOGGER.info("Skipped overwriting " + supportingFile.destinationFilename + " as the file already exists in " + folder);
             }
-        } catch (Exception e) {
-            supportingFiles.add(supportingFile);
+        } catch (SecurityException e) {
+            LOGGER.error("Error while validating path" + folder, e);
         }
+
     }
 
     /**
diff --git a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavaJAXRSSpecServerCodegen.java b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavaJAXRSSpecServerCodegen.java
@@ -199,11 +199,8 @@ public void preprocessSwagger(Swagger swagger) {
         try {
             String swaggerJson = Json.pretty(swagger);
             SecureFileUtils.validatePath(outputFolder);
-            File outputFile = new File(outputFolder + File.separator + "swagger.json");
-            FileUtils.writeStringToFile(outputFile, swaggerJson, StandardCharsets.UTF_8);
-        } catch (SecurityException e) {
-            throw new RuntimeException("Security violation: attempted to write to unsafe file path: " + outputFolder + File.separator + "swagger.json", e);
-        } catch (IOException e) {
+            FileUtils.writeStringToFile(new File(outputFolder + File.separator + "swagger.json"), swaggerJson, StandardCharsets.UTF_8);
+        } catch (IOException | SecurityException e) {
             throw new RuntimeException(e.getMessage(), e.getCause());
         }
         super.preprocessSwagger(swagger);
diff --git a/modules/swagger-codegen/src/test/java/io/swagger/codegen/DefaultCodegenTest.java b/modules/swagger-codegen/src/test/java/io/swagger/codegen/DefaultCodegenTest.java
@@ -39,6 +39,6 @@ public void testShouldOverwriteWithPathTraversal() {
         DefaultCodegen codegen = new DefaultCodegen();
         boolean result = codegen.shouldOverwrite("../../../etc/passwd");
 
-        Assert.assertFalse(result, "shouldOverwrite should return false when SecurityException is thrown");
+        Assert.assertTrue(result, "shouldOverwrite should return false when SecurityException is thrown");
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -3566,7 +3566,7 @@ public boolean shouldOverwrite(String filename) {`
`3566`	`3566`	`try {`
`3567`	`3567`	`SecureFileUtils.validatePath(filename);`
`3568`	`3568`	`} catch (SecurityException e) {`
`3569`		`- return false;`
	`3569`	`+ return true;`
`3570`	`3570`	`}`
`3571`	`3571`	`return !(skipOverwrite && new File(filename).exists());`
`3572`	`3572`	`}`
`@@ -3833,12 +3833,15 @@ public void writeOptional(String outputFolder, SupportingFile supportingFile) {`
`3833`	`3833`	`}`
`3834`	`3834`	`try {`
`3835`	`3835`	`SecureFileUtils.validatePath(folder);`
`3836`		`- if (!new File(folder).exists()) {`
	`3836`	`+ if(!new File(folder).exists()) {`
	`3837`	`+ supportingFiles.add(supportingFile);`
	`3838`	`+ } else {`
`3837`	`3839`	`LOGGER.info("Skipped overwriting " + supportingFile.destinationFilename + " as the file already exists in " + folder);`
`3838`	`3840`	`}`
`3839`		`- } catch (Exception e) {`
`3840`		`- supportingFiles.add(supportingFile);`
	`3841`	`+ } catch (SecurityException e) {`
	`3842`	`+ LOGGER.error("Error while validating path" + folder, e);`
`3841`	`3843`	`}`
	`3844`	`+`
`3842`	`3845`	`}`
`3843`	`3846`
`3844`	`3847`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,6 @@ public void testShouldOverwriteWithPathTraversal() {`
`39`	`39`	`DefaultCodegen codegen = new DefaultCodegen();`
`40`	`40`	`boolean result = codegen.shouldOverwrite("../../../etc/passwd");`
`41`	`41`
`42`		`- Assert.assertFalse(result, "shouldOverwrite should return false when SecurityException is thrown");`
	`42`	`+ Assert.assertTrue(result, "shouldOverwrite should return false when SecurityException is thrown");`
`43`	`43`	`}`
`44`	`44`	`}`