Sanitized user-provided file names in HTTP multipart uploads

2026-03-17 21:36:54 +01:00 · 2024-02-01 23:48:27 +00:00
parent c8481fdbef
commit c8dfe10a7c
38 changed files with 83 additions and 45 deletions
--- a/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.pipeline;

+import io.github.pixee.security.Filenames;
 import io.github.pixee.security.ZipSecurity;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -334,7 +335,7 @@ public class PipelineProcessor {
                    new ByteArrayResource(file.getBytes()) {
                        @Override
                        public String getFilename() {
-                            return file.getOriginalFilename();
+                            return Filenames.toSimpleFileName(file.getOriginalFilename());
                        }
                    };
            outputFiles.add(fileResource);