Sanitized user-provided file names in HTTP multipart uploads

2024-02-01 23:48:27 +00:00
parent c8481fdbef
commit c8dfe10a7c
38 changed files with 83 additions and 45 deletions
--- a/src/main/java/stirling/software/SPDF/controller/api/SplitPDFController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/SplitPDFController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api;

+import io.github.pixee.security.Filenames;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.file.Files;
@@ -83,7 +84,7 @@ public class SplitPDFController {

        Path zipFile = Files.createTempFile("split_documents", ".zip");

-        String filename = file.getOriginalFilename().replaceFirst("[.][^.]+$", "");
+        String filename = Filenames.toSimpleFileName(file.getOriginalFilename()).replaceFirst("[.][^.]+$", "");
        try (ZipOutputStream zipOut = new ZipOutputStream(Files.newOutputStream(zipFile))) {
            // loop through the split documents and write them to the zip file
            for (int i = 0; i < splitDocumentsBoas.size(); i++) {