From c3008ec7eed5d335a98ef5812a44d8d193c236ff Mon Sep 17 00:00:00 2001
From: Luca Foppiano <lfoppiano@users.noreply.github.com>
Date: Sat, 30 Nov 2024 05:27:09 +0000
Subject: [PATCH] Fix code scanning alert no. 62: Uncontrolled data used in
 path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../grobid/service/process/GrobidRestProcessTraining.java    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java b/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java
index 10664d2f09..b425af0c27 100644
--- a/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java
+++ b/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java
@@ -359,6 +359,11 @@ public void run() {
     public Response resultTraining(String token) {
         Response response = null;
         try {
+            // Validate the token to prevent directory traversal
+            if (token.contains("..") || token.contains("/") || token.contains("\\")) {
+                throw new GrobidServiceException("Invalid token", Status.BAD_REQUEST);
+            }
+
             // access report file under token subdirectory
             File home = GrobidProperties.getInstance().getGrobidHomePath();
             String tokenPath = home.getAbsolutePath() + "/training-history/" + token;