From b7d1551068c10e37d000cf58ae0faa11afe5528e Mon Sep 17 00:00:00 2001
From: "pixee-b1171e79b0e16eb5[bot]"
 <170462952+pixee-b1171e79b0e16eb5[bot]@users.noreply.github.com>
Date: Mon, 3 Jun 2024 20:49:28 +0000
Subject: [PATCH 1/2] (Sonar) Fixed finding: "Multiple variables should not be
 declared on the same line"

---
 src/main/java/org/owasp/webgoat/webwolf/FileServer.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index e3d6f24f..442bd421 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -135,7 +135,9 @@ public void print2() {
     public static class EncryptionExample {
 
         public byte[] encrypt(String text) throws Exception {
-            int a, b, c;
+            int a;
+            int b;
+            int c;
 
             a = 2;
             b = 1;

From bf4c9579df303b984f7f21fbbccec5ca420a6330 Mon Sep 17 00:00:00 2001
From: "pixee-b1171e79b0e16eb5[bot]"
 <170462952+pixee-b1171e79b0e16eb5[bot]@users.noreply.github.com>
Date: Mon, 3 Jun 2024 20:49:28 +0000
Subject: [PATCH 2/2] Sanitized user-provided file names in HTTP multipart
 uploads

---
 pom.xml                                                | 10 ++++++++++
 .../java/org/owasp/webgoat/webwolf/FileServer.java     |  5 +++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 15851ec3..21b0517e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -146,6 +146,7 @@
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
     <zxcvbn.version>1.5.2</zxcvbn.version>
+    <versions.java-security-toolkit>1.1.3</versions.java-security-toolkit>
   </properties>
 
   <dependencyManagement>
@@ -248,6 +249,11 @@
         <artifactId>jruby</artifactId>
         <version>9.3.6.0</version>
       </dependency>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -393,6 +399,10 @@
       <artifactId>rest-assured</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
 
   <repositories>
diff --git a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index 442bd421..5203da17 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.webwolf;
 
+import io.github.pixee.security.Filenames;
 import static org.springframework.http.MediaType.ALL_VALUE;
 
 import java.io.File;
@@ -79,8 +80,8 @@ public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throw
     var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
     var destinationDir = new File(fileLocation, user.getUsername());
     destinationDir.mkdirs();
-    myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
-    log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
+    myFile.transferTo(new File(destinationDir, Filenames.toSimpleFileName(myFile.getOriginalFilename())));
+    log.debug("File saved to {}", new File(destinationDir, Filenames.toSimpleFileName(myFile.getOriginalFilename())));
 
     return new ModelAndView(
         new RedirectView("files", true),