diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java
index 40e1c49..8c62367 100644
--- a/src/main/java/io/shiftleft/controller/CustomerController.java
+++ b/src/main/java/io/shiftleft/controller/CustomerController.java
@@ -216,21 +216,21 @@ public void loadSettings(HttpServletResponse httpResponse, WebRequest request) t
    * @param request
    * @throws Exception
    */
-  @RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
-  public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
+@RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
+public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
     // "Settings" will be stored in a cookie
     // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...))
 
     if (!checkCookie(request)){
-      httpResponse.getOutputStream().println("Error");
-      throw new Exception("cookie is incorrect");
+        httpResponse.getOutputStream().println("Error");
+        throw new Exception("cookie is incorrect");
     }
 
     String settingsCookie = request.getHeader("Cookie");
     String[] cookie = settingsCookie.split(",");
-	if(cookie.length<2) {
-	  httpResponse.getOutputStream().println("Malformed cookie");
-      throw new Exception("cookie is incorrect");
+    if(cookie.length<2) {
+        httpResponse.getOutputStream().println("Malformed cookie");
+        throw new Exception("cookie is incorrect");
     }
 
     String base64txt = cookie[0].replace("settings=","");
@@ -238,30 +238,33 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
     // Check md5sum
     String cookieMD5sum = cookie[1];
     String calcMD5Sum = DigestUtils.md5Hex(base64txt);
-	if(!cookieMD5sum.equals(calcMD5Sum))
+    if(!cookieMD5sum.equals(calcMD5Sum))
     {
-      httpResponse.getOutputStream().println("Wrong md5");
-      throw new Exception("Invalid MD5");
+        httpResponse.getOutputStream().println("Wrong md5");
+        throw new Exception("Invalid MD5");
     }
 
     // Now we can store on filesystem
     String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
-	// storage will have ClassPathResource as basepath
+    // storage will have ClassPathResource as basepath
     ClassPathResource cpr = new ClassPathResource("./static/");
-	  File file = new File(cpr.getPath()+settings[0]);
+    // Sanitize filename to prevent directory traversal
+    String filename = FilenameUtils.getName(settings[0]);
+    File file = new File(cpr.getPath() + filename);
     if(!file.exists()) {
-      file.getParentFile().mkdirs();
+        file.getParentFile().mkdirs();
     }
 
     FileOutputStream fos = new FileOutputStream(file, true);
     // First entry is the filename -> remove it
     String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
-    // on setting at a linez
+    // on setting at a line
     fos.write(String.join("\n",settingsArr).getBytes());
     fos.write(("\n"+cookie[cookie.length-1]).getBytes());
     fos.close();
     httpResponse.getOutputStream().println("Settings Saved");
-  }
+}
+
 
   /**
    * Debug test for saving and reading a customer
@@ -388,3 +391,4 @@ public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServ
 	}
 
 }
+