From 07d283424822b1ffa1d65386979532b815f7120e Mon Sep 17 00:00:00 2001
From: arybakov <alex.rybakov@cgi.com>
Date: Thu, 3 Oct 2024 13:43:21 -0600
Subject: [PATCH] GRAD2-1806 New Report for SSW: Projected Grad

---
 .../grad/report/service/impl/GradReportServiceImpl.java    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/api/src/main/java/ca/bc/gov/educ/grad/report/service/impl/GradReportServiceImpl.java b/api/src/main/java/ca/bc/gov/educ/grad/report/service/impl/GradReportServiceImpl.java
index 331d09b6..b6311249 100644
--- a/api/src/main/java/ca/bc/gov/educ/grad/report/service/impl/GradReportServiceImpl.java
+++ b/api/src/main/java/ca/bc/gov/educ/grad/report/service/impl/GradReportServiceImpl.java
@@ -143,11 +143,18 @@ Certificate getCertificate(ReportData reportData) {
 
     InputStream openImageResource(final String resource) throws IOException {
         /** final URL url = getReportResource(resource); **/
+        validateResourcePath(resource);
         URL url = this.getClass().getResource(String.format(DIR_IMAGE_BASE, resource));
         assert url != null;
         return url.openStream();
     }
 
+    void validateResourcePath(String resource) {
+        if(StringUtils.isBlank(resource) || resource.contains("..") || resource.contains("/") || resource.contains("\\")) {
+            throw new IllegalArgumentException("Invalid resource path");
+        }
+    }
+
     GraduationReport getGraduationReport(String methodName, List<String> excludePrograms) throws IOException {
         Parameters<String, Object> parameters = createParameters();