backend/internal/web/handlers_files.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"log/slog"
 	"net/http"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -180,6 +181,16 @@ func FileUploadHandler(deps FilesDeps) http.HandlerFunc {
 			http.Error(w, "bad request: file must have a filename", http.StatusBadRequest)
 			return
 		}
+		// Sanitize: strip path components (prevents ../../etc/passwd style names
+		// from being stored in DB and returned to browsers).
+		filename = filepath.Base(filename)
+		if len(filename) > 255 {
+			filename = filename[:255]
+		}
+		if filename == "" || filename == "." {
+			http.Error(w, "bad request: invalid filename", http.StatusBadRequest)
+			return
+		}
 
 		fileUUID := uuid.New()
 		s3Key := "files/" + tablo.ID.String() + "/" + fileUUID.String() // D-04