Merge branch 'develop'

brunocapu-lcn · brunocapu-lcn · commit ec8375dec171 · 2025-03-23T12:09:07.000-03:00
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ PKI Express package for Java
 
 This package contains classes that encapsulate the calls to the PKI Express.
 
-The **PKI Express package** is distributed by [Maven](https://search.maven.org/artifact/com.lacunasoftware.pkiexpress/pki-express/1.22.1/jar).
+The **PKI Express package** is distributed by [Maven](https://search.maven.org/artifact/com.lacunasoftware.pkiexpress/pki-express/1.22.2/jar).
 
 The recommended way to install it is with Gradle:
     
@@ -13,7 +13,7 @@ The recommended way to install it is with Gradle:
     }
     
     dependencies {
-        implementation 'com.lacunasoftware.pkiexpress:pki-express:1.22.1'
+        implementation 'com.lacunasoftware.pkiexpress:pki-express:1.22.2'
         ...
     }
         
@@ -22,7 +22,7 @@ Or with Maven:
     <dependency>
       <groupId>com.lacunasoftware.pkiexpress</groupId>
       <artifactId>pki-express</artifactId>
-      <version>1.22.1/version>
+      <version>1.22.2/version>
       <type>pom</type>
     </dependency>
       
diff --git a/build.gradle b/build.gradle
@@ -11,7 +11,7 @@ targetCompatibility = JavaVersion.VERSION_1_7
 
 group = 'com.lacunasoftware.pkiexpress'
 archivesBaseName = 'pki-express'
-version = '1.22.1'
+version = '1.22.2'
 
 repositories {
     mavenCentral()
diff --git a/src/main/java/com/lacunasoftware/pkiexpress/SignatureFinisher.java b/src/main/java/com/lacunasoftware/pkiexpress/SignatureFinisher.java
@@ -115,9 +115,7 @@ public void setTransferFilePath(String path) {
 	}
 
 	public void setTransferFileId(String transferFileId) {
-		if (!Files.exists(config.getTransferDataFolder().resolve(transferFileId))) {
-			throw new RuntimeException("The provided transfer file was not found");
-		}
+		Util.validateFile(transferFileId, config.getTransferDataFolder());
 		this.transferFileId = transferFileId;
 	}
 	//endregion
diff --git a/src/main/java/com/lacunasoftware/pkiexpress/Util.java b/src/main/java/com/lacunasoftware/pkiexpress/Util.java
@@ -7,6 +7,8 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Arrays;
@@ -80,4 +82,28 @@ static Date parseApiDate(String dateStr) {
 
 		return date;
 	}
+
+	static void validateFile(String userFile, Path baseDir) {
+		try {
+			// get normalized path
+			Path basePath = baseDir.toRealPath();
+			Path userPath = basePath.resolve(userFile).normalize();
+
+			// checks if user file path is child of base dir
+			if (!userPath.startsWith(basePath)) {
+				throw new RuntimeException("The provided file path is not valid");
+			}
+
+			// checks if file exists
+			if (!Files.exists(userPath)) {
+				throw new RuntimeException("The provided file was not found");
+			}
+
+		} catch (RuntimeException ex) {
+			throw ex;
+
+		} catch (Exception ex) {
+			throw new RuntimeException("Error validating file path", ex);
+		}
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -115,9 +115,7 @@ public void setTransferFilePath(String path) {`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`public void setTransferFileId(String transferFileId) {`
`118`		`- if (!Files.exists(config.getTransferDataFolder().resolve(transferFileId))) {`
`119`		`- throw new RuntimeException("The provided transfer file was not found");`
`120`		`- }`
	`118`	`+ Util.validateFile(transferFileId, config.getTransferDataFolder());`
`121`	`119`	`this.transferFileId = transferFileId;`
`122`	`120`	`}`
`123`	`121`	`//endregion`