From 86e3439963253cb2738479fc4b83bd86b9154f9f Mon Sep 17 00:00:00 2001
From: Luke Sikina <lucas.skina@gmail.com>
Date: Tue, 16 Jan 2024 12:26:37 -0500
Subject: [PATCH] Fix path traversal issue

---
 .../dbmi/avillach/hpds/service/PicSureService.java  | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/service/src/main/java/edu/harvard/hms/dbmi/avillach/hpds/service/PicSureService.java b/service/src/main/java/edu/harvard/hms/dbmi/avillach/hpds/service/PicSureService.java
index 28baf105..d2773fef 100644
--- a/service/src/main/java/edu/harvard/hms/dbmi/avillach/hpds/service/PicSureService.java
+++ b/service/src/main/java/edu/harvard/hms/dbmi/avillach/hpds/service/PicSureService.java
@@ -262,11 +262,24 @@ public Response queryResult(@PathParam("resourceQueryId") UUID queryId, QueryReq
 		}
 	}
 
+	private Optional<String> roundTripUUID(String uuid) {
+		try {
+			return Optional.ofNullable(UUID.fromString(uuid).toString());
+		} catch (IllegalArgumentException ignored) {
+			return Optional.empty();
+		}
+	}
+
 	@POST
 	@Path("/write/{dataType}")
 	public Response writeQueryResult(
 		@RequestBody() Query query, @PathParam("dataType") String datatype
 	) {
+		if (roundTripUUID(query.getPicSureId()).map(id -> id.equalsIgnoreCase(query.getPicSureId())).orElse(false)) {
+			return Response
+				.status(400, "The query pic-sure ID is not a UUID")
+				.build();
+		}
 		if (query.getExpectedResultType() != ResultType.DATAFRAME_TIMESERIES) {
 			return Response
 				.status(400, "The write endpoint only writes time series dataframes. Fix result type.")