From 8274f6064c1d6d9ba5c71e7ba1748233d874af2b Mon Sep 17 00:00:00 2001 From: karthiksuki Date: Wed, 27 May 2026 16:46:34 +0530 Subject: [PATCH] fix: strip control characters from sanitized filenames Prevent tab, newline, and other ASCII control characters from appearing in S3 object keys generated from user-provided upload filenames. Fixes #9127 Co-authored-by: Cursor --- apps/api/plane/utils/path_validator.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/api/plane/utils/path_validator.py b/apps/api/plane/utils/path_validator.py index ab2e2bae537..2ea71c18f23 100644 --- a/apps/api/plane/utils/path_validator.py +++ b/apps/api/plane/utils/path_validator.py @@ -15,8 +15,8 @@ def sanitize_filename(filename): """ Sanitize a filename to prevent path traversal attacks. - Strips directory components, path traversal sequences, and null bytes - from user-supplied filenames used in upload paths and S3 object keys. + Strips directory components, path traversal sequences, and control + characters from user-supplied filenames used in upload paths and S3 object keys. Returns None for empty/missing input so callers can still validate that a filename was provided. @@ -24,8 +24,8 @@ def sanitize_filename(filename): if not filename or not isinstance(filename, str): return None - # Strip null bytes - filename = filename.replace("\x00", "") + # Strip ASCII control characters (0-31 and 127), including null bytes + filename = "".join(char for char in filename if not (ord(char) < 32 or ord(char) == 127)) # Normalize backslashes so os.path.basename handles Windows-style paths on POSIX filename = filename.replace("\\", "/")