fix: address code review feedback

cziberpv · cziberpv · commit 0150317d4d69 · 2026-02-10T11:56:56.000+01:00
- Sanitize Content-Disposition filename to prevent path traversal
  (Paths.get(filename).getFileName() strips directory components)
- Add null check for response.body() to handle 204/205 empty responses
- Fix regex to support quoted filenames with spaces
  (e.g. filename="my invoice.pdf")
diff --git a/modules/openapi-generator/src/main/resources/Java/libraries/feign/ApiResponseDecoder.mustache b/modules/openapi-generator/src/main/resources/Java/libraries/feign/ApiResponseDecoder.mustache
@@ -13,6 +13,7 @@ import java.io.InputStream;
 import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import java.util.Collection;
 import java.util.Collections;
@@ -25,7 +26,7 @@ import {{modelPackage}}.ApiResponse;
 public class ApiResponseDecoder extends JacksonDecoder {
 
     private static final Pattern FILENAME_PATTERN =
-            Pattern.compile("filename=['\"]?([^'\"\\s]+)['\"]?");
+            Pattern.compile("filename=\"([^\"]+)\"|filename=([^\\s;]+)");
 
     public ApiResponseDecoder(ObjectMapper mapper) {
         super(mapper);
@@ -58,6 +59,9 @@ public class ApiResponseDecoder extends JacksonDecoder {
 
     private Object decodeBinary(Response response, Type type) throws IOException {
         Class<?> raw = Types.getRawType(type);
+        if (response.body() == null) {
+            return null;
+        }
         if (byte[].class.isAssignableFrom(raw)) {
             return response.body().asInputStream().readAllBytes();
         }
@@ -71,8 +75,10 @@ public class ApiResponseDecoder extends JacksonDecoder {
         String filename = extractFilename(response);
         File file;
         if (filename != null) {
+            // Sanitize: strip path components to prevent path traversal
+            String safeName = Paths.get(filename).getFileName().toString();
             java.nio.file.Path tempDir = Files.createTempDirectory("feign-download");
-            file = Files.createFile(tempDir.resolve(filename)).toFile();
+            file = Files.createFile(tempDir.resolve(safeName)).toFile();
             tempDir.toFile().deleteOnExit();
         } else {
             file = Files.createTempFile("download-", "").toFile();
@@ -89,7 +95,10 @@ public class ApiResponseDecoder extends JacksonDecoder {
         if (dispositions == null) return null;
         for (String disposition : dispositions) {
             Matcher m = FILENAME_PATTERN.matcher(disposition);
-            if (m.find()) return m.group(1);
+            if (m.find()) {
+                // Group 1: quoted filename (may contain spaces), Group 2: unquoted token
+                return m.group(1) != null ? m.group(1) : m.group(2);
+            }
         }
         return null;
     }
diff --git a/samples/client/petstore/java/feign-no-nullable/src/main/java/org/openapitools/client/ApiResponseDecoder.java b/samples/client/petstore/java/feign-no-nullable/src/main/java/org/openapitools/client/ApiResponseDecoder.java
@@ -24,6 +24,7 @@
 import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import java.util.Collection;
 import java.util.Collections;
@@ -36,7 +37,7 @@
 public class ApiResponseDecoder extends JacksonDecoder {
 
     private static final Pattern FILENAME_PATTERN =
-            Pattern.compile("filename=['\"]?([^'\"\\s]+)['\"]?");
+            Pattern.compile("filename=\"([^\"]+)\"|filename=([^\\s;]+)");
 
     public ApiResponseDecoder(ObjectMapper mapper) {
         super(mapper);
@@ -69,6 +70,9 @@ private boolean isBinaryType(Type type) {
 
     private Object decodeBinary(Response response, Type type) throws IOException {
         Class<?> raw = Types.getRawType(type);
+        if (response.body() == null) {
+            return null;
+        }
         if (byte[].class.isAssignableFrom(raw)) {
             return response.body().asInputStream().readAllBytes();
         }
@@ -82,8 +86,10 @@ private File downloadToTempFile(Response response) throws IOException {
         String filename = extractFilename(response);
         File file;
         if (filename != null) {
+            // Sanitize: strip path components to prevent path traversal
+            String safeName = Paths.get(filename).getFileName().toString();
             java.nio.file.Path tempDir = Files.createTempDirectory("feign-download");
-            file = Files.createFile(tempDir.resolve(filename)).toFile();
+            file = Files.createFile(tempDir.resolve(safeName)).toFile();
             tempDir.toFile().deleteOnExit();
         } else {
             file = Files.createTempFile("download-", "").toFile();
@@ -100,7 +106,10 @@ private String extractFilename(Response response) {
         if (dispositions == null) return null;
         for (String disposition : dispositions) {
             Matcher m = FILENAME_PATTERN.matcher(disposition);
-            if (m.find()) return m.group(1);
+            if (m.find()) {
+                // Group 1: quoted filename (may contain spaces), Group 2: unquoted token
+                return m.group(1) != null ? m.group(1) : m.group(2);
+            }
         }
         return null;
     }
diff --git a/samples/client/petstore/java/feign/src/main/java/org/openapitools/client/ApiResponseDecoder.java b/samples/client/petstore/java/feign/src/main/java/org/openapitools/client/ApiResponseDecoder.java
@@ -24,6 +24,7 @@
 import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import java.util.Collection;
 import java.util.Collections;
@@ -36,7 +37,7 @@
 public class ApiResponseDecoder extends JacksonDecoder {
 
     private static final Pattern FILENAME_PATTERN =
-            Pattern.compile("filename=['\"]?([^'\"\\s]+)['\"]?");
+            Pattern.compile("filename=\"([^\"]+)\"|filename=([^\\s;]+)");
 
     public ApiResponseDecoder(ObjectMapper mapper) {
         super(mapper);
@@ -69,6 +70,9 @@ private boolean isBinaryType(Type type) {
 
     private Object decodeBinary(Response response, Type type) throws IOException {
         Class<?> raw = Types.getRawType(type);
+        if (response.body() == null) {
+            return null;
+        }
         if (byte[].class.isAssignableFrom(raw)) {
             return response.body().asInputStream().readAllBytes();
         }
@@ -82,8 +86,10 @@ private File downloadToTempFile(Response response) throws IOException {
         String filename = extractFilename(response);
         File file;
         if (filename != null) {
+            // Sanitize: strip path components to prevent path traversal
+            String safeName = Paths.get(filename).getFileName().toString();
             java.nio.file.Path tempDir = Files.createTempDirectory("feign-download");
-            file = Files.createFile(tempDir.resolve(filename)).toFile();
+            file = Files.createFile(tempDir.resolve(safeName)).toFile();
             tempDir.toFile().deleteOnExit();
         } else {
             file = Files.createTempFile("download-", "").toFile();
@@ -100,7 +106,10 @@ private String extractFilename(Response response) {
         if (dispositions == null) return null;
         for (String disposition : dispositions) {
             Matcher m = FILENAME_PATTERN.matcher(disposition);
-            if (m.find()) return m.group(1);
+            if (m.find()) {
+                // Group 1: quoted filename (may contain spaces), Group 2: unquoted token
+                return m.group(1) != null ? m.group(1) : m.group(2);
+            }
         }
         return null;
     }
