From 4ea4d28e6e97fa5b9d48ebd8fcf62b6be62118db Mon Sep 17 00:00:00 2001
From: Arthur Belleville <arthur.belleville@datadoghq.com>
Date: Fri, 15 May 2026 18:56:11 +0200
Subject: [PATCH] fix(07): WR-05 sanitize upload filename with filepath.Base
 and length cap

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 backend/internal/web/handlers_files.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/backend/internal/web/handlers_files.go b/backend/internal/web/handlers_files.go
index 6fd931e..de64dac 100644
--- a/backend/internal/web/handlers_files.go
+++ b/backend/internal/web/handlers_files.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"log/slog"
 	"net/http"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -180,6 +181,16 @@ func FileUploadHandler(deps FilesDeps) http.HandlerFunc {
 			http.Error(w, "bad request: file must have a filename", http.StatusBadRequest)
 			return
 		}
+		// Sanitize: strip path components (prevents ../../etc/passwd style names
+		// from being stored in DB and returned to browsers).
+		filename = filepath.Base(filename)
+		if len(filename) > 255 {
+			filename = filename[:255]
+		}
+		if filename == "" || filename == "." {
+			http.Error(w, "bad request: invalid filename", http.StatusBadRequest)
+			return
+		}
 
 		fileUUID := uuid.New()
 		s3Key := "files/" + tablo.ID.String() + "/" + fileUUID.String() // D-04