Initial implementation of upload files api. (#1703)

* Initial implementation of upload files api. * Move sanitize method to utils. * Save uploaded data to uploads folder. * Avoid loop if we do not have a purpose. * Minor cleanup of api and fix bug where deleting duplicate filename cause error. * Revert defer of saving config * Moved creation of directory to startup. * Make file names unique when storing on disk. * Add test for files api. * Update dependencies.
2025-05-21 11:04:59 +00:00 · 2024-02-18 02:12:02 -08:00 · 2024-02-18 02:12:02 -08:00 · 01205fd4c0
commit 01205fd4c0
parent c72808f18b
8 changed files with 538 additions and 3 deletions
--- a/pkg/utils/path.go
+++ b/pkg/utils/path.go
@ -3,6 +3,7 @@ package utils
 import (
 	"fmt"
 	"path/filepath"
+	"strings"
 )

 func inTrustedRoot(path string, trustedRoot string) error {
@ -20,3 +21,14 @@ func VerifyPath(path, basePath string) error {
 	c := filepath.Clean(filepath.Join(basePath, path))
 	return inTrustedRoot(c, filepath.Clean(basePath))
 }
+
+// SanitizeFileName sanitizes the given filename
+func SanitizeFileName(fileName string) string {
+	// filepath.Clean to clean the path
+	cleanName := filepath.Clean(fileName)
+	// filepath.Base to ensure we only get the final element, not any directory path
+	baseName := filepath.Base(cleanName)
+	// Replace any remaining tricky characters that might have survived cleaning
+	safeName := strings.ReplaceAll(baseName, "..", "")
+	return safeName
+}