From f03a6b6e937668bba3063404842bdad875b95d74 Mon Sep 17 00:00:00 2001
From: Mohamed Bilel Besrour <besrourbilel@gmail.com>
Date: Tue, 10 Sep 2024 20:39:33 +0200
Subject: [PATCH] validate buildjob file name

---
 .../de/tum/in/www1/artemis/service/BuildLogEntryService.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/java/de/tum/in/www1/artemis/service/BuildLogEntryService.java b/src/main/java/de/tum/in/www1/artemis/service/BuildLogEntryService.java
index 006a2d4afae8..001a3141599a 100644
--- a/src/main/java/de/tum/in/www1/artemis/service/BuildLogEntryService.java
+++ b/src/main/java/de/tum/in/www1/artemis/service/BuildLogEntryService.java
@@ -347,6 +347,11 @@ public void saveBuildLogsToFile(List<BuildLogEntry> buildLogEntries, String buil
      * @return A {@link FileSystemResource} representing the log file if it exists, or {@code null} if the log file cannot be found.
      */
     public FileSystemResource retrieveBuildLogsFromFileForBuildJob(String buildJobId) {
+        if (buildJobId.contains("/") || buildJobId.contains("\\") || buildJobId.contains("..")) {
+            log.warn("Invalid build job ID: {}", buildJobId);
+            throw new IllegalArgumentException("Invalid build job ID");
+        }
+
         ProgrammingExercise programmingExercise = retrieveProgrammingExerciseByBuildJobId(buildJobId);
         String courseShortName = programmingExercise.getCourseViaExerciseGroupOrCourseMember().getShortName();
         String exerciseShortName = programmingExercise.getShortName();