arthur/xtablo-source
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions 5

fix(07): WR-05 sanitize upload filename with filepath.Base and length cap

Browse source 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Arthur Belleville 2026-05-15 18:56:11 +02:00
parent e7a66c44cf
commit 4ea4d28e6e
No known key found for this signature in database
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
backend/internal/web/handlers_files.go
View file

@ -5,6 +5,7 @@ import (
"errors" "errors"
"log/slog" "log/slog"
"net/http" "net/http"
"path/filepath"
"strconv" "strconv"
"strings" "strings"
"time" "time"
@ -180,6 +181,16 @@ func FileUploadHandler(deps FilesDeps) http.HandlerFunc {
http.Error(w, "bad request: file must have a filename", http.StatusBadRequest) http.Error(w, "bad request: file must have a filename", http.StatusBadRequest)
return return
} }
// Sanitize: strip path components (prevents ../../etc/passwd style names
// from being stored in DB and returned to browsers).
filename = filepath.Base(filename)
if len(filename) > 255 {
filename = filename[:255]
}
if filename == "" || filename == "." {
http.Error(w, "bad request: invalid filename", http.StatusBadRequest)
return
}
fileUUID := uuid.New() fileUUID := uuid.New()
s3Key := "files/" + tablo.ID.String() + "/" + fileUUID.String() // D-04 s3Key := "files/" + tablo.ID.String() + "/" + fileUUID.String() // D-04