alanmehio commented on a change in pull request #768:
URL: https://github.com/apache/cxf/pull/768#discussion_r646108926
##########
File path: core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
##########
@@ -170,18 +170,31 @@ public static boolean isMtomEnabled(Message message) {
public static void setStreamedAttachmentProperties(Message message,
CachedOutputStream bos)
throws IOException {
Object directory =
message.getContextualProperty(AttachmentDeserializer.ATTACHMENT_DIRECTORY);
+ setOutputDirectory(directory, bos);
+
+ Object threshold =
message.getContextualProperty(AttachmentDeserializer.ATTACHMENT_MEMORY_THRESHOLD);
+ setThreshold(threshold, bos);
+
+ Object maxSize =
message.getContextualProperty(AttachmentDeserializer.ATTACHMENT_MAX_SIZE);
+ setMaxSize(maxSize, bos);
+ }
+
+ private static void setOutputDirectory(Object directory,
CachedOutputStream bos) throws IOException {
if (directory != null) {
if (directory instanceof File) {
- bos.setOutputDir((File) directory);
+ bos.setOutputDir((File)directory);
} else if (directory instanceof String) {
- bos.setOutputDir(new File((String) directory));
+ String directoryStr = (String)directory;
+ directoryStr = directoryStr.replace("..", "");
Review comment:
@coheigea you are right. This has nothing to do with PR. The codeQL was
failing [Java path Injection
rule](https://codeql.github.com/codeql-query-help/java/java-path-injection/)
Can somebody looks at the codeQL it is disturbing and causing the build to
fail . I will revert the changes and again this has nothing to do with PR
since the build was failing due to CodeQL check on java path Injection. If the
CodeQL can be minimized to something realistic which does not affect code , it
would be great
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
