pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): handle null bytes in filename + fix test assertion
CI — Build, Lint & Security Scan / backend (push) Failing after 14m30s
Details
CI — Build, Lint & Security Scan / frontend (push) Failing after 33s
Details
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
Details
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 24s
Details
Deploy to TrueNAS / deploy (push) Failing after 54s
Details

Browse Source 
- DocumentService.sanitizeFilename(): strip null bytes before FilenameUtils.getName()
  (commons-io rejects \0 with IllegalArgumentException)
- DocumentServiceTest: fix '..' assertion — code returns 'document', not UUID
This commit is contained in:
Patrick Plate
2026-06-19 09:23:40 +02:00
parent 4b38c4fa09
commit b69e5b1820
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java
+6 -1
View File
@@ -211,9 +211,14 @@ public class DocumentService {
if (original == null || original.isBlank()) { if (original == null || original.isBlank()) {
return UUID.randomUUID().toString(); return UUID.randomUUID().toString();
} }
// Strip null bytes first — FilenameUtils.getName() throws on \0
String safe = original.replace("\0", "");
if (safe.isBlank()) {
return UUID.randomUUID().toString();
}
// Strip path components using commons-io — handles both Unix and Windows separators // Strip path components using commons-io — handles both Unix and Windows separators
// regardless of the current platform (unlike Paths.get which is platform-dependent) // regardless of the current platform (unlike Paths.get which is platform-dependent)
String name = FilenameUtils.getName(original); String name = FilenameUtils.getName(safe);
if (name == null || name.isBlank()) { if (name == null || name.isBlank()) {
return "document"; return "document";
} }
cannamanage-service/src/test/java/de/cannamanage/service/DocumentServiceTest.java
+2 -2
View File
@@ -167,10 +167,10 @@ class DocumentServiceTest {
clubId, "Dots", DocumentCategory.SONSTIGES, clubId, "Dots", DocumentCategory.SONSTIGES,
DocumentAccessLevel.ALL_MEMBERS, null, file, uploadedBy); DocumentAccessLevel.ALL_MEMBERS, null, file, uploadedBy);
// ".." is explicitly caught → UUID fallback // ".." is explicitly caught → "document" fallback
assertThat(result.getFilename()).isNotEqualTo(".."); assertThat(result.getFilename()).isNotEqualTo("..");
assertThat(result.getFilename()).isNotBlank(); assertThat(result.getFilename()).isNotBlank();
assertThat(result.getFilename()).matches("[a-f0-9\\-]+"); assertThat(result.getFilename()).isEqualTo("document");
} }
} }