From 4264888e16fe8ffd6e05db03cd8010da9a100004 Mon Sep 17 00:00:00 2001
From: Ewa Ostrowska <ewa.ostrowska@smartbear.com>
Date: Tue, 30 Sep 2025 09:17:49 +0200
Subject: [PATCH] feat: prevent path traversal attacks in Generator
 class(#12611)

---
 .../src/main/java/io/swagger/generator/online/Generator.java   | 3 +--
 .../test/java/io/swagger/generator/online/GeneratorTest.java   | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java b/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java
index 8f4b9fefefe..506c468a2d6 100644
--- a/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java
+++ b/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java
@@ -122,6 +122,7 @@ private static String generate(String language, GeneratorInput opts, Type type)
         if (destPath == null) {
             destPath = language + "-" + type.getTypeName();
         }
+        SecureFileUtils.validatePath(destPath);
 
         ClientOptInput clientOptInput = new ClientOptInput();
         ClientOpts clientOpts = new ClientOpts();
@@ -147,7 +148,6 @@ private static String generate(String language, GeneratorInput opts, Type type)
             if (files.size() > 0) {
                 List<File> filesToAdd = new ArrayList<File>();
                 LOGGER.debug("adding to " + outputFolder);
-                SecureFileUtils.validatePath(outputFolder);
                 filesToAdd.add(new File(outputFolder));
                 ZipUtil zip = new ZipUtil();
                 zip.compressFiles(filesToAdd, outputFilename);
@@ -164,7 +164,6 @@ private static String generate(String language, GeneratorInput opts, Type type)
                 }
             }
             try {
-                SecureFileUtils.validatePath(outputFilename);
                 new File(outputFolder).delete();
             } catch (Exception e) {
                 LOGGER.error("unable to delete output folder " + outputFolder);
diff --git a/modules/swagger-generator/src/test/java/io/swagger/generator/online/GeneratorTest.java b/modules/swagger-generator/src/test/java/io/swagger/generator/online/GeneratorTest.java
index e2c0db2d067..b955b1a4537 100644
--- a/modules/swagger-generator/src/test/java/io/swagger/generator/online/GeneratorTest.java
+++ b/modules/swagger-generator/src/test/java/io/swagger/generator/online/GeneratorTest.java
@@ -1,6 +1,5 @@
 package io.swagger.generator.online;
 
-import io.swagger.generator.exception.BadRequestException;
 import org.testng.annotations.Test;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -14,7 +13,7 @@
  */
 public class GeneratorTest {
 
-    @Test(expectedExceptions = BadRequestException.class)
+    @Test(expectedExceptions = SecurityException.class)
     public void testGenerateWithPathTraversalInOutputFolder() throws Exception {
         io.swagger.generator.model.GeneratorInput opts = new io.swagger.generator.model.GeneratorInput();