finding_id: REV-2026-004
priority: P1
area: generator
kind: security
paths:
- api-codegen-core/src/main/java/com/apicgen/Main.java
- api-codegen-core/src/main/java/com/apicgen/validator/ApiValidator.java
- api-codegen-maven-plugin/src/main/java/com/apicgen/maven/ApiCodegenMojo.java
blocked_by: []
automation: needs-design
Summary
Enforce generated-output path containment across the CLI and Maven plugin, including forced generation paths.
Evidence
Global review finding REV-2026-004 identified that generated names and paths can be influenced by className/fileName and that the CLI and Maven plugin need a shared containment check.
Impact
Malicious or malformed API metadata may cause generated files to escape the configured output directory or write to unintended paths.
Scope
Validate class and file names, normalize the final generated path, require containment under outputDir, share the check between CLI and Maven, and cover force-mode regressions.
Out of scope
Changing supported generator frameworks, output directory defaults, or unrelated source-template formatting.
Acceptance criteria
className/fileName 只能是合法 Java 标识符或受控相对路径
- 最终生成路径规范化后必须位于
outputDir
- CLI 和 Maven 插件共用 containment 校验
- 恶意
className/fieldName 和 force 场景有回归测试
Verification
Run CLI and Maven-plugin fixtures containing traversal, absolute, separator, and force-mode inputs; assert no file is written outside the normalized output directory.
Rollback
Revert the shared containment validator and callers while retaining security regression fixtures for a safer redesign.
Dependencies
None. Keep this issue labeled automation:needs-design; do not add automation:ready until design review is complete.
finding_id: REV-2026-004
priority: P1
area: generator
kind: security
paths:
blocked_by: []
automation: needs-design
Summary
Enforce generated-output path containment across the CLI and Maven plugin, including forced generation paths.
Evidence
Global review finding REV-2026-004 identified that generated names and paths can be influenced by
className/fileNameand that the CLI and Maven plugin need a shared containment check.Impact
Malicious or malformed API metadata may cause generated files to escape the configured output directory or write to unintended paths.
Scope
Validate class and file names, normalize the final generated path, require containment under
outputDir, share the check between CLI and Maven, and cover force-mode regressions.Out of scope
Changing supported generator frameworks, output directory defaults, or unrelated source-template formatting.
Acceptance criteria
className/fileName只能是合法 Java 标识符或受控相对路径outputDirclassName/fieldName和force场景有回归测试Verification
Run CLI and Maven-plugin fixtures containing traversal, absolute, separator, and force-mode inputs; assert no file is written outside the normalized output directory.
Rollback
Revert the shared containment validator and callers while retaining security regression fixtures for a safer redesign.
Dependencies
None. Keep this issue labeled
automation:needs-design; do not addautomation:readyuntil design review is complete.