From 59b902b4d8d6d4f0a7b5417be6104ee2f82e6d5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Brunner?= <stephane.brunner@camptocamp.com>
Date: Thu, 25 Jan 2024 16:39:22 +0100
Subject: [PATCH] [Security] Raise exception on IOException on
 StreamRepositoryService

The old code can be a security issue because the JasperReport will try
to get the recourse by other way when we return null.
---
 BREAKING-CHANGES.md                                             | 2 ++
 .../org/mapfish/print/output/MapfishPrintRepositoryService.java | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/BREAKING-CHANGES.md b/BREAKING-CHANGES.md
index 269f065e30..489dbaae1e 100644
--- a/BREAKING-CHANGES.md
+++ b/BREAKING-CHANGES.md
@@ -3,6 +3,8 @@
 ## Version 3.31
 
 - `HumanAlphaSerie` is moved from package `org.mapfish.print` to `org.mapfish.print.jasperreports`.
+- Rather than returning `null` when we fail to get a Resource from the JasperReport, we now throw
+  the exception (wrapped in a `RuntimeException`).
 
 ## Version 3.30
 
diff --git a/core/src/main/java/org/mapfish/print/output/MapfishPrintRepositoryService.java b/core/src/main/java/org/mapfish/print/output/MapfishPrintRepositoryService.java
index 2ef98db61e..d4b6a6c2ce 100644
--- a/core/src/main/java/org/mapfish/print/output/MapfishPrintRepositoryService.java
+++ b/core/src/main/java/org/mapfish/print/output/MapfishPrintRepositoryService.java
@@ -46,7 +46,7 @@ public InputStream getInputStream(final String uriString) {
           this.httpRequestFactory.createRequest(uri, HttpMethod.GET).execute();
       return new ResponseClosingStream(response);
     } catch (IOException e) {
-      return null;
+      throw new RuntimeException(String.format("Error on getting resource '%s'", uriString), e);
     }
   }