From c1b75a13fd1cc9bf39109dea5a1445c594f07451 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emrik=20=C3=96stling?= <emrikos@chalmers.se>
Date: Tue, 4 Mar 2025 09:23:06 +0100
Subject: [PATCH] chore: sanitize filename

---
 bun.lock      | 7 +++++++
 package.json  | 3 ++-
 src/index.tsx | 7 ++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/bun.lock b/bun.lock
index 17ce502..2047a8a 100644
--- a/bun.lock
+++ b/bun.lock
@@ -10,6 +10,7 @@
         "@elysiajs/static": "^1.2.0",
         "@kitajs/html": "^4.2.7",
         "elysia": "^1.2.12",
+        "sanitize-filename": "^1.6.3",
       },
       "devDependencies": {
         "@eslint/js": "^9.19.0",
@@ -686,6 +687,8 @@
 
     "run-parallel": ["run-parallel@1.2.0", "", { "dependencies": { "queue-microtask": "^1.2.2" } }, "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA=="],
 
+    "sanitize-filename": ["sanitize-filename@1.6.3", "", { "dependencies": { "truncate-utf8-bytes": "^1.0.0" } }, "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg=="],
+
     "semver": ["semver@7.7.0", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-DrfFnPzblFmNrIZzg5RzHegbiRWg7KMR7btwi2yjHwx06zsUbO5g613sVwEV7FTwmzJu+Io0lJe2GJ3LxqpvBQ=="],
 
     "shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="],
@@ -730,6 +733,8 @@
 
     "to-regex-range": ["to-regex-range@5.0.1", "", { "dependencies": { "is-number": "^7.0.0" } }, "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ=="],
 
+    "truncate-utf8-bytes": ["truncate-utf8-bytes@1.0.2", "", { "dependencies": { "utf8-byte-length": "^1.0.1" } }, "sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ=="],
+
     "ts-api-utils": ["ts-api-utils@2.0.1", "", { "peerDependencies": { "typescript": ">=4.8.4" } }, "sha512-dnlgjFSVetynI8nzgJ+qF62efpglpWRk8isUEWZGWlJYySCTD6aKvbUDu+zbPeDakk3bg5H4XpitHukgfL1m9w=="],
 
     "tslib": ["tslib@2.8.1", "", {}, "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="],
@@ -752,6 +757,8 @@
 
     "uri-js": ["uri-js@4.4.1", "", { "dependencies": { "punycode": "^2.1.0" } }, "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg=="],
 
+    "utf8-byte-length": ["utf8-byte-length@1.0.5", "", {}, "sha512-Xn0w3MtiQ6zoz2vFyUVruaCL53O/DwUvkEeOvj+uulMm0BkUGYWmBYVyElqZaSLhY6ZD0ulfU3aBra2aVT4xfA=="],
+
     "util-deprecate": ["util-deprecate@1.0.2", "", {}, "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="],
 
     "wcwidth": ["wcwidth@1.0.1", "", { "dependencies": { "defaults": "^1.0.3" } }, "sha512-XHPEwS0q6TaxcvG85+8EYkbiCux2XtWG2mkc47Ng2A77BQu9+DqIOJldST4HgPkuea7dvKSj5VgX3P1d4rW8Tg=="],
diff --git a/package.json b/package.json
index c97eda3..b554bfb 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,8 @@
     "@elysiajs/jwt": "^1.2.0",
     "@elysiajs/static": "^1.2.0",
     "@kitajs/html": "^4.2.7",
-    "elysia": "^1.2.12"
+    "elysia": "^1.2.12",
+    "sanitize-filename": "^1.6.3"
   },
   "module": "src/index.tsx",
   "type": "module",
diff --git a/src/index.tsx b/src/index.tsx
index e7274a9..2143b38 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -7,6 +7,7 @@ import { jwt, type JWTPayloadSpec } from "@elysiajs/jwt";
 import { staticPlugin } from "@elysiajs/static";
 import { Database } from "bun:sqlite";
 import { Elysia, t } from "elysia";
+import sanitize from "sanitize-filename";
 import { BaseHtml } from "./components/base";
 import { Header } from "./components/header";
 import {
@@ -886,6 +887,10 @@ const app = new Elysia({
       const converterName = body.convert_to.split(",")[1];
       const fileNames = JSON.parse(body.file_names) as string[];
 
+      for (let i = 0; i < fileNames.length; i++) {
+        fileNames[i] = sanitize(fileNames[i] || "");
+      }
+
       if (!Array.isArray(fileNames) || fileNames.length === 0) {
         return redirect(`${WEBROOT}/`, 302);
       }
@@ -1411,7 +1416,7 @@ const app = new Elysia({
       // parse from url encoded string
       const userId = decodeURIComponent(params.userId);
       const jobId = decodeURIComponent(params.jobId);
-      const fileName = decodeURIComponent(params.fileName);
+      const fileName = sanitize(decodeURIComponent(params.fileName));
 
       const filePath = `${outputDir}${userId}/${jobId}/${fileName}`;
       return Bun.file(filePath);