fix: sanitize path traversal in filename (TDD)
Some checks failed
Build & Deploy to Staging / Build & Deploy to Staging (push) Failing after 2m0s
Some checks failed
Build & Deploy to Staging / Build & Deploy to Staging (push) Failing after 2m0s
This commit is contained in:
OpenClaw Subagent
parent
f0cb83a901
commit
9e1d4d86fb
2 changed files with 46 additions and 2 deletions
|
|
@ -1,4 +1,17 @@
|
|||
export function sanitizeFilename(name: string, defaultName = "document.pdf"): string {
|
||||
const sanitized = String(name || "").replace(/[\x00-\x1f"'\\\r\n]/g, "_").trim().substring(0, 200);
|
||||
return sanitized || defaultName;
|
||||
// Replace control chars, quotes, backslashes, AND forward slashes
|
||||
let sanitized = String(name || "")
|
||||
.replace(/[\x00-\x1f"'\\\r\n/]/g, "_")
|
||||
.trim()
|
||||
.substring(0, 200);
|
||||
|
||||
// Replace any sequence of dots (including ".." path traversal)
|
||||
sanitized = sanitized.replace(/\.{2,}/g, "_");
|
||||
|
||||
// Strip leading dots to prevent hidden files or remaining single dots
|
||||
sanitized = sanitized.replace(/^\.+/, "");
|
||||
|
||||
// If result is empty or only underscores/dots/whitespace, return default
|
||||
const cleaned = sanitized.replace(/[_.\s]/g, "");
|
||||
return cleaned ? sanitized.trim() : defaultName;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue