Fix partNumber path traversal warnings

afranken · afranken · commit bd37fce16add · 2025-09-09T09:16:25.000+02:00
This doesn't change the logic but makes static code analysis happy.
diff --git a/server/src/main/java/com/adobe/testing/s3mock/MultipartController.java b/server/src/main/java/com/adobe/testing/s3mock/MultipartController.java
@@ -229,14 +229,14 @@ public ResponseEntity<Void> uploadPart(
       @PathVariable String bucketName,
       @PathVariable ObjectKey key,
       @RequestParam UUID uploadId,
-      @RequestParam Integer partNumber,
+      @RequestParam String partNumber,
       @RequestHeader HttpHeaders httpHeaders,
       InputStream inputStream) {
 
     final var tempFileAndChecksum = multipartService.toTempFile(inputStream, httpHeaders);
     bucketService.verifyBucketExists(bucketName);
     multipartService.verifyMultipartUploadExists(bucketName, uploadId);
-    multipartService.verifyPartNumberLimits(partNumber);
+    var partNum = multipartService.verifyPartNumberLimits(partNumber);
 
     String checksum = null;
     ChecksumAlgorithm checksumAlgorithm = null;
@@ -260,7 +260,7 @@ public ResponseEntity<Void> uploadPart(
     var etag = multipartService.putPart(bucketName,
         key.key(),
         uploadId,
-        partNumber,
+        partNum,
         tempFile,
         encryptionHeadersFrom(httpHeaders));
 
@@ -299,10 +299,10 @@ public ResponseEntity<CopyPartResult> uploadPartCopy(
       @RequestHeader(value = X_AMZ_COPY_SOURCE_IF_MODIFIED_SINCE, required = false) List<Instant> ifModifiedSince,
       @RequestHeader(value = X_AMZ_COPY_SOURCE_IF_UNMODIFIED_SINCE, required = false) List<Instant> ifUnmodifiedSince,
       @RequestParam UUID uploadId,
-      @RequestParam Integer partNumber,
+      @RequestParam String partNumber,
       @RequestHeader HttpHeaders httpHeaders) {
     var bucket = bucketService.verifyBucketExists(bucketName);
-    multipartService.verifyPartNumberLimits(partNumber);
+    var partNum = multipartService.verifyPartNumberLimits(partNumber);
     var s3ObjectMetadata = objectService.verifyObjectExists(copySource.bucket(), copySource.key(),
         copySource.versionId());
     objectService.verifyObjectMatchingForCopy(match, noneMatch,
@@ -312,7 +312,7 @@ public ResponseEntity<CopyPartResult> uploadPartCopy(
     var result = multipartService.copyPart(copySource.bucket(),
         copySource.key(),
         copyRange,
-        partNumber,
+        partNum,
         bucketName,
         key.key(),
         uploadId,
diff --git a/server/src/main/java/com/adobe/testing/s3mock/service/MultipartService.java b/server/src/main/java/com/adobe/testing/s3mock/service/MultipartService.java
@@ -310,11 +310,13 @@ public ListMultipartUploadsResult listMultipartUploads(
     );
   }
 
-  public void verifyPartNumberLimits(Integer partNumber) {
-    if (partNumber < 1 || partNumber > 10000) {
+  public int verifyPartNumberLimits(String partNumber) {
+    int number = Integer.parseInt(partNumber);
+    if (number < 1 || number > 10000) {
       LOG.error("Multipart part number invalid. partNumber={}", partNumber);
       throw INVALID_PART_NUMBER;
     }
+    return number;
   }
 
   public void verifyMultipartParts(
@@ -364,7 +366,7 @@ public void verifyMultipartParts(
     if (!uploadedParts.isEmpty()) {
       for (int i = 0; i < uploadedParts.size() - 1; i++) {
         var part = uploadedParts.get(i);
-        verifyPartNumberLimits(part.partNumber());
+        verifyPartNumberLimits(part.partNumber().toString());
         if (part.size() < MINIMUM_PART_SIZE) {
           LOG.error("Multipart part size too small. bucket={}, id={}, uploadId={}, size={}",
               bucketMetadata, id, uploadId, part.size());
diff --git a/server/src/test/kotlin/com/adobe/testing/s3mock/MultipartControllerTest.kt b/server/src/test/kotlin/com/adobe/testing/s3mock/MultipartControllerTest.kt
@@ -1047,6 +1047,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPart_Ok_EtagReturned() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
     val uploadId = UUID.randomUUID()
 
     val temp = java.nio.file.Files.createTempFile("junie", "part")
@@ -1080,6 +1081,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
     )
     val bucketMeta = bucketMetadata(versioningConfiguration = versioningConfiguration)
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
 
     val s3meta = s3ObjectMetadata(
       key = "source/key.txt",
@@ -1161,10 +1163,11 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPartCopy_InvalidPartNumber_BadRequest() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
 
     doThrow(S3Exception.INVALID_PART_NUMBER)
       .whenever(multipartService)
-      .verifyPartNumberLimits(1)
+      .verifyPartNumberLimits("1")
 
     val headers = HttpHeaders().apply {
       add("x-amz-copy-source", "/source-bucket/source/key.txt")
@@ -1190,6 +1193,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPartCopy_SourceObjectNotFound() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
 
     doThrow(S3Exception.NO_SUCH_KEY)
       .whenever(objectService)
@@ -1219,6 +1223,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPartCopy_PreconditionFailed() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
 
     val s3meta = s3ObjectMetadata("source/key.txt", UUID.randomUUID().toString())
     whenever(objectService.verifyObjectExists(eq("source-bucket"), eq("source/key.txt"), anyOrNull()))
@@ -1260,6 +1265,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPartCopy_NoVersionHeaderWhenNotVersioned() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
 
     val s3meta = s3ObjectMetadata(
       key = "source/key.txt",
@@ -1300,6 +1306,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPartCopy_EncryptionHeadersEchoed() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
 
     val s3meta = s3ObjectMetadata("source/key.txt", UUID.randomUUID().toString())
     whenever(objectService.verifyObjectExists(eq("source-bucket"), eq("source/key.txt"), anyOrNull()))
@@ -1348,6 +1355,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
   fun testUploadPart_WithHeaderChecksum_VerifiedAndReturned() {
     val bucketMeta = bucketMetadata()
     whenever(bucketService.verifyBucketExists(TEST_BUCKET_NAME)).thenReturn(bucketMeta)
+    whenever(multipartService.verifyPartNumberLimits("1")).thenReturn(1)
     val uploadId = UUID.randomUUID()
 
     val temp = java.nio.file.Files.createTempFile("junie", "part")
@@ -1395,7 +1403,7 @@ internal class MultipartControllerTest : BaseControllerTest() {
     // Simulate invalid part number
     doThrow(S3Exception.INVALID_PART_NUMBER)
       .whenever(multipartService)
-      .verifyPartNumberLimits(1)
+      .verifyPartNumberLimits("1")
 
     val uri = UriComponentsBuilder
       .fromUriString("/${TEST_BUCKET_NAME}/my/key.txt")
diff --git a/server/src/test/kotlin/com/adobe/testing/s3mock/service/MultipartServiceTest.kt b/server/src/test/kotlin/com/adobe/testing/s3mock/service/MultipartServiceTest.kt
@@ -44,20 +44,33 @@ internal class MultipartServiceTest : ServiceTestBase() {
 
   @Test
   fun testVerifyPartNumberLimits_success() {
-    val partNumber = 1
+    val partNumber = "1"
     iut.verifyPartNumberLimits(partNumber)
   }
 
   @Test
   fun testVerifyPartNumberLimits_tooSmallFailure() {
-    val partNumber = 0
+    val partNumber = "0"
     assertThatThrownBy { iut.verifyPartNumberLimits(partNumber) }
       .isEqualTo(S3Exception.INVALID_PART_NUMBER)
   }
 
   @Test
   fun testVerifyPartNumberLimits_tooLargeFailure() {
-    val partNumber = 10001
+    val partNumber = "10001"
+    assertThatThrownBy { iut.verifyPartNumberLimits(partNumber) }
+      .isEqualTo(S3Exception.INVALID_PART_NUMBER)
+  }
+
+  @Test
+  fun testVerifyPartNumberLimits_boundaryMax_success() {
+    val partNumber = "10000"
+    iut.verifyPartNumberLimits(partNumber)
+  }
+
+  @Test
+  fun testVerifyPartNumberLimits_negativeNumberFailure() {
+    val partNumber = "-1"
     assertThatThrownBy { iut.verifyPartNumberLimits(partNumber) }
       .isEqualTo(S3Exception.INVALID_PART_NUMBER)
   }
@@ -203,19 +216,6 @@ internal class MultipartServiceTest : ServiceTestBase() {
     iut.verifyMultipartUploadExists(bucketName, uploadId)
   }
 
-  @Test
-  fun testVerifyPartNumberLimits_boundaryMax_success() {
-    val partNumber = 10000
-    iut.verifyPartNumberLimits(partNumber)
-  }
-
-  @Test
-  fun testVerifyPartNumberLimits_negativeNumberFailure() {
-    val partNumber = -1
-    assertThatThrownBy { iut.verifyPartNumberLimits(partNumber) }
-      .isEqualTo(S3Exception.INVALID_PART_NUMBER)
-  }
-
   @Test
   fun testVerifyMultipartParts_withRequestedParts_keyNotFoundFailure() {
     val bucketName = "bucketName"
