Skip to content

Commit

Permalink
Refactor StoragePath
Browse files Browse the repository at this point in the history
  • Loading branch information
@pvannierop
pvannierop committed Jul 15, 2024
1 parent f1523af commit 28132f4
Showing 1 changed file with 12 additions and 8 deletions.
20 changes: 12 additions & 8 deletions src/main/java/org/radarbase/appserver/service/storage/StoragePath.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,14 +125,7 @@ public StoragePath build() {
Assert.isTrue(!subject.isBlank(), "Subject Id must be set.");
Assert.isTrue(!topic.isBlank(), "Topic Id must be set.");

String pathInTopicDir = Stream.of(
this.doCollectPerDay ? getDayFolder() : "",
// Storing files under their original filename is a security risk, as it can be used to
// overwrite existing files. We generate a random filename server-side to mitigate this risk.
// See https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
generateRandomFilename(this.file)
).filter(s -> !s.isBlank())
.collect(Collectors.joining(this.dirSep));
String pathInTopicDir = buildPathInTopicDir();

String fullPath = Stream.of(
this.pathPrefix,
Expand All @@ -146,6 +139,17 @@ public StoragePath build() {
return new StoragePath(fullPath, pathInTopicDir);
}

private String buildPathInTopicDir() {
return Stream.of(
this.doCollectPerDay ? getDayFolder() : "",
// Storing files under their original filename is a security risk, as it can be used to
// overwrite existing files. We generate a random filename server-side to mitigate this risk.
// See https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
generateRandomFilename(this.file)
).filter(s -> !s.isBlank())
.collect(Collectors.joining(this.dirSep));
}

private String generateRandomFilename(String originalFilename) {
String timestamp = LocalDateTime.now().format(DateTimeFormatter.ofPattern(this.filePattern));
return timestamp + "_" + UUID.randomUUID() + getFileExtension(originalFilename);
Expand Down

0 comments on commit 28132f4

Please sign in to comment.