Fix alert-156

Author: hmiguim

roda-ui/roda-wui/src/main/java/org/roda/wui/api/v2/controller/JobsController.java

@@ -337,7 +337,7 @@ public ResponseEntity<StreamingResponseBody> retrieveJobAttachment(
     } catch (AuthorizationDeniedException e) {
       state = LogEntryState.UNAUTHORIZED;
       throw new RESTException(e);
-    } catch (NotFoundException e) {
+    } catch (NotFoundException | GenericException e) {
       state = LogEntryState.FAILURE;
       throw new RESTException(e);
     } finally {

roda-ui/roda-wui/src/main/java/org/roda/wui/api/v2/services/JobService.java

@@ -243,8 +243,13 @@ public JobUserDetails buildJobUserDetails(User user) {
     return jobUserDetails;
   }
 
-  public StreamResponse retrieveJobAttachment(String jobId, String attachmentId) throws NotFoundException {
+  public StreamResponse retrieveJobAttachment(String jobId, String attachmentId) throws NotFoundException, GenericException {
     Path filePath = RodaCoreFactory.getJobAttachmentsDirectoryPath().resolve(jobId).resolve(attachmentId);
+
+    if (!RodaCoreFactory.getJobAttachmentsDirectoryPath().startsWith(filePath)) {
+      throw new GenericException("Attempt to retrieve files outside the permitted scope");
+    }
+
     if (!Files.exists(filePath)) {
       throw new NotFoundException();
     }