From 42a289ffcb17224228ac21c6ffb417f767b88ead Mon Sep 17 00:00:00 2001
From: Cizz22 <cisatraa@gmail.com>
Date: Thu, 19 Feb 2026 14:00:26 +0700
Subject: [PATCH] fix: remove command substitution patterns from filenames
 during sanitization.

---
 src/utils.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/utils.py b/src/utils.py
index 8458e97..35b32dd 100644
--- a/src/utils.py
+++ b/src/utils.py
@@ -164,7 +164,10 @@ def sanitize_filename(filename: str) -> str:
     
     # Remove consecutive dots to prevent directory traversal attempts like '..'
     filename = re.sub(r'\.{2,}', '.', filename)
-    
+
+    # remove potential $(
+    filename = re.sub(r'\$\([\s\S]*?\)', '', filename)
+
     # Ensure filename is not practically empty after sanitization
     if not filename.strip() or filename.strip().replace('.', '') == '':
          raise ValueError("Filename invalid after sanitization")