diff --git a/cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java b/cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java index 81d4577..9e14ee4 100644 --- a/cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java +++ b/cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java @@ -211,9 +211,14 @@ public class DocumentService { if (original == null || original.isBlank()) { return UUID.randomUUID().toString(); } + // Strip null bytes first — FilenameUtils.getName() throws on \0 + String safe = original.replace("\0", ""); + if (safe.isBlank()) { + return UUID.randomUUID().toString(); + } // Strip path components using commons-io — handles both Unix and Windows separators // regardless of the current platform (unlike Paths.get which is platform-dependent) - String name = FilenameUtils.getName(original); + String name = FilenameUtils.getName(safe); if (name == null || name.isBlank()) { return "document"; } diff --git a/cannamanage-service/src/test/java/de/cannamanage/service/DocumentServiceTest.java b/cannamanage-service/src/test/java/de/cannamanage/service/DocumentServiceTest.java index d2d8978..7feac9a 100644 --- a/cannamanage-service/src/test/java/de/cannamanage/service/DocumentServiceTest.java +++ b/cannamanage-service/src/test/java/de/cannamanage/service/DocumentServiceTest.java @@ -167,10 +167,10 @@ class DocumentServiceTest { clubId, "Dots", DocumentCategory.SONSTIGES, DocumentAccessLevel.ALL_MEMBERS, null, file, uploadedBy); - // ".." is explicitly caught → UUID fallback + // ".." is explicitly caught → "document" fallback assertThat(result.getFilename()).isNotEqualTo(".."); assertThat(result.getFilename()).isNotBlank(); - assertThat(result.getFilename()).matches("[a-f0-9\\-]+"); + assertThat(result.getFilename()).isEqualTo("document"); } }