Merge pull request #13560 from PasanT9/fix-112

PasanT9 · web-flow · commit 49a6427b39a5 · 2026-01-23T07:38:32.000+05:30
Fix issues in throttling policy import API
diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/importexport/ImportExportConstants.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/importexport/ImportExportConstants.java
@@ -72,6 +72,7 @@ public final class ImportExportConstants {
 
     public static final String JSON_EXTENSION = ".json";
     public static final String YAML_EXTENSION = ".yaml";
+    public static final String YML_EXTENSION = ".yml";
 
     // Image resource
     public static final String IMAGE_RESOURCE = "Image";
diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/admin/v1/impl/ThrottlingApiServiceImpl.java b/components/apimgt/org.wso2.carbon.apimgt.rest.api.admin.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/admin/v1/impl/ThrottlingApiServiceImpl.java
@@ -1225,13 +1225,32 @@ public Response exportThrottlingPolicy(String policyId, String policyName, Strin
      */
     public static ExportThrottlePolicyDTO getImportedPolicy(InputStream uploadedInputStream, Attachment fileDetail)
             throws ParseException, APIImportExportException, IOException {
+
         File importFolder = CommonUtil.createTempDirectory(null);
         String uploadFileName = fileDetail.getContentDisposition().getFilename();
-        String fileType = (uploadFileName.contains(ImportExportConstants.YAML_EXTENSION)) ?
+        if (StringUtils.isEmpty(uploadFileName)) {
+            throw new APIImportExportException("Invalid file name. File name cannot be null or empty.");
+        }
+        // Validate file extension to prevent uploading unauthorized file types
+        String lowerCaseFileName = uploadFileName.toLowerCase();
+        boolean isYamlFile =
+                lowerCaseFileName.endsWith(ImportExportConstants.YAML_EXTENSION) || lowerCaseFileName.endsWith(
+                        ImportExportConstants.YML_EXTENSION);
+        boolean isJsonFile = lowerCaseFileName.endsWith(ImportExportConstants.JSON_EXTENSION);
+        if (!isYamlFile && !isJsonFile) {
+            throw new APIImportExportException("Invalid file type. Only YAML and JSON files are allowed.");
+        }
+        String fileType = isYamlFile ?
                 ImportExportConstants.EXPORT_POLICY_TYPE_YAML :
                 ImportExportConstants.EXPORT_POLICY_TYPE_JSON;
+        // Validating the canonical path
         String absolutePath = importFolder.getAbsolutePath() + File.separator + uploadFileName;
         File targetFile = new File(absolutePath);
+        String canonicalPath = targetFile.getCanonicalPath();
+        String canonicalImportPath = importFolder.getCanonicalPath();
+        if (!canonicalPath.startsWith(canonicalImportPath + File.separator)) {
+            throw new APIImportExportException("Invalid file name.");
+        }
         FileUtils.copyInputStreamToFile(uploadedInputStream, targetFile);
         return preprocessImportedArtifact(absolutePath, fileType);
     }
