fix: remove command substitution patterns from filenames during sanitization.

3 weeks ago · 42a289ffcb
parent e748769012
commit 42a289ffcb
1 changed files with 4 additions and 1 deletions
--- a/src/utils.py
+++ b/src/utils.py
@ -165,6 +165,9 @@ def sanitize_filename(filename: str) -> str:
    # Remove consecutive dots to prevent directory traversal attempts like '..'
    filename = re.sub(r'\.{2,}', '.', filename)

+    # remove potential $(
+    filename = re.sub(r'\$\([\s\S]*?\)', '', filename)
+
    # Ensure filename is not practically empty after sanitization
    if not filename.strip() or filename.strip().replace('.', '') == '':
         raise ValueError("Filename invalid after sanitization")