From 2bb9251043b543bb5005b7cf9af6ac4f58a0f733 Mon Sep 17 00:00:00 2001
From: "Smokowski, Steve (ss835w)" <ss835w@us.att.com>
Date: Wed, 5 Dec 2018 08:30:51 -0500
Subject: Resolve Security Exploits

normalize all file paths before using them

Change-Id: I67aaa00d7218b95dde96f3679efe92c3c0cd33f9
Issue-ID: SO-1275
Signed-off-by: Smokowski, Steve (ss835w) <ss835w@us.att.com>
---
 .../java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'bpmn')

diff --git a/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java b/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
index 1989ca8cf9..1531e4d7b3 100644
--- a/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
+++ b/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
@@ -22,6 +22,7 @@ package org.onap.so.bpmn.common.resource;
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -266,7 +267,7 @@ public class ResourceRequestBuilder {
 
         HashMap<String, String> map = new Gson().fromJson(value, new TypeToken<HashMap<String, String>>() {}.getType());
 
-        String filePath = System.getProperty("mso.config.path") + "/ASDC/" +  map.get("version") + "/" + map.get("name");
+        String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  map.get("version"), map.get("name")).normalize().toString();
 
         File csarFile = new File(filePath);
 
-- 
cgit 1.2.3-korg