Unreleased InputStream in InputStreamResource returned from REST controller

Question

I have such a method in my REST controller, returning file data:

@RequestMapping(
        value  = "by-id/{attachmentId}",
        method = RequestMethod.GET
)
public ResponseEntity<InputStreamResource> attachmentById(
        @PathVariable("attachmentId") String attachmentId) {
    GridFSDBFile file = service.getAttachment(attachmentId);

...... some unrelated code here, setting headers, etc .....

    return new ResponseEntity<InputStreamResource>(
                new InputStreamResource(file.getInputStream()), respHeaders, HttpStatus.OK);

}

This works fine, but by the report of Fortify, I shall release InputStream, obviously opened in file.getInputStream(). Probably, I had to use either try-with-resources, as InputStream is autocloseable, or to call file.getInputStream().close() in finally block. But it seems that I cannot do so, because I exactly do not know the implementation of neither the constructor of InputStreamResource nor its methods, whether that input stream may be still in use in returned ResponseEntity.

What am I to do?

score 3 · Accepted Answer · answered Dec 26 '18 at 13:04

3

I think that you have been able to find an answer to your question. And, probably, it is a question to Fortify, because stream is closed by Spring - see "investigation" - How to handle IO streams in Spring MVC

answered Dec 26 '18 at 13:04

mshutov

792
1
5
14

Unreleased InputStream in InputStreamResource returned from REST controller

1 Answers1