From 7fa4fbfe2720ccbc5ec898647b82f7fa64e8ef0b Mon Sep 17 00:00:00 2001
From: d-millar <33498836+d-millar@users.noreply.github.com>
Date: Tue, 14 Apr 2026 20:00:32 +0000
Subject: [PATCH] GP-6695: in-directory check

---
 .../sarif/managers/MemoryMapSarifMgr.java     | 29 +++++++------------
 1 file changed, 10 insertions(+), 19 deletions(-)

diff --git a/Ghidra/Features/Sarif/src/main/java/sarif/managers/MemoryMapSarifMgr.java b/Ghidra/Features/Sarif/src/main/java/sarif/managers/MemoryMapSarifMgr.java
index 6d2368cfe4..3012dd838a 100644
--- a/Ghidra/Features/Sarif/src/main/java/sarif/managers/MemoryMapSarifMgr.java
+++ b/Ghidra/Features/Sarif/src/main/java/sarif/managers/MemoryMapSarifMgr.java
@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -15,29 +15,15 @@
  */
 package sarif.managers;
 
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.RandomAccessFile;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
+import java.io.*;
+import java.util.*;
 
 import com.google.gson.JsonArray;
 
 import generic.stl.Pair;
 import ghidra.app.util.MemoryBlockUtils;
 import ghidra.app.util.importer.MessageLog;
-import ghidra.program.model.address.Address;
-import ghidra.program.model.address.AddressFactory;
-import ghidra.program.model.address.AddressOverflowException;
-import ghidra.program.model.address.AddressRange;
-import ghidra.program.model.address.AddressRangeImpl;
-import ghidra.program.model.address.AddressRangeIterator;
-import ghidra.program.model.address.AddressSet;
-import ghidra.program.model.address.AddressSetView;
+import ghidra.program.model.address.*;
 import ghidra.program.model.listing.Program;
 import ghidra.program.model.mem.Memory;
 import ghidra.program.model.mem.MemoryBlock;
@@ -48,6 +34,7 @@ import sarif.SarifProgramOptions;
 import sarif.SarifUtils;
 import sarif.export.SarifWriterTask;
 import sarif.export.mm.SarifMemoryMapWriter;
+import utilities.util.FileUtilities;
 
 public class MemoryMapSarifMgr extends SarifMgr {
 
@@ -155,7 +142,11 @@ public class MemoryMapSarifMgr extends SarifMgr {
 			MessageLog log) throws IOException {
 		byte[] bytes = new byte[length];
 		Arrays.fill(bytes, (byte) 0xff);
+		File dir = new File(directory);
 		File f = new File(directory, fileName);
+		if (!FileUtilities.isPathContainedWithin(dir, f)) {
+			throw new RuntimeException(fileName + " not found within " + directory);
+		}
 		try (RandomAccessFile binfile = new RandomAccessFile(f, "r")) {
 			int pos = 0;
 			while (pos < length) {