Prevent path traversal in interaction storage and make Clear All deletion async by cuongmx · Pull Request #1 · requestbin/requestbin-collaborator

cuongmx · 2026-03-28T07:57:34Z

Prevent attackers from causing path traversal by supplying crafted unique-id values that are used directly in persistence filenames.
Avoid synchronous file I/O on the Swing Event Dispatch Thread during the "Clear All" action to prevent transient UI freezes.

Added burp.util.StorageFileUtils which centralizes identifier sanitization (sanitizeIdentifierForFilename) and builds safe storage paths via interactionsFile(File, String).
Replaced ad-hoc filename construction with StorageFileUtils.interactionsFile(...) in PollingService, BinTab, and BinService to eliminate path traversal risk when creating/reading/writing interactions-{id}.json.
Refactored BinTab Clear All flow to perform persistence-file deletion on a background daemon thread (deletePersistenceFileAsync) and report results back onto the EDT with SwingUtilities.invokeLater, while deletePersistenceFile now returns a boolean indicating success.

Attempted an automated build with mvn -q -DskipTests compile, which failed due to external dependency resolution (Maven Central returned HTTP 403 for maven-resources-plugin), so the code changes were not validated by a successful full build in this environment.

Fix path traversal in interaction storage and async clear-all delete

18fb8c8

cuongmx added the codex label Mar 28, 2026 — with ChatGPT Codex Connector

cuongmx merged commit f191c09 into master Mar 28, 2026

Provide feedback