From a476b08f314107351817bbbe199fa7e420782ad0 Mon Sep 17 00:00:00 2001
From: lamtung-monash <lam.nguyentung@monash.edu>
Date: Thu, 11 Dec 2025 18:10:50 +0800
Subject: [PATCH] Fixes security issues caused by file paths containing "../".

---
 .../java/com/art/system/controller/FileController.java    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/art-server/art-server-system/src/main/java/com/art/system/controller/FileController.java b/art-server/art-server-system/src/main/java/com/art/system/controller/FileController.java
index 3acb37df..5f6e5e47 100644
--- a/art-server/art-server-system/src/main/java/com/art/system/controller/FileController.java
+++ b/art-server/art-server-system/src/main/java/com/art/system/controller/FileController.java
@@ -86,6 +86,14 @@ public void download(@RequestBody FileDownloadDTO fileDownloadDTO, HttpServletRe
 	@GetMapping("/download/{bucket}/{fileName}")
 	public void download(@PathVariable("bucket") String bucket, @PathVariable("fileName") String fileName,
 			HttpServletResponse response) {
+        if (fileName == null) {
+            return ResponseEntity.notFound().build();
+        }
+
+        if (fileName.contains("../")){
+            return ResponseEntity.badRequest().build();
+        }
+
 		fileService.getFile(bucket, fileName, response);
 	}