AuDownloader uses new File(path) and new URL(path) but it's unclear whether the paths are sanitized somewhere to prevent a remote attacker from accessing any resource on the server (or even attacking different servers by using a global URL)