From fb63b821bea694a9e2c4ea5ee3d99e3e143b7a8a Mon Sep 17 00:00:00 2001 From: Cizz22 Date: Thu, 19 Feb 2026 14:56:29 +0700 Subject: [PATCH] refactor: Improve filename sanitization by removing shell variable patterns and directly stripping invalid characters. --- src/utils.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/utils.py b/src/utils.py index 35b32dd..52faa80 100644 --- a/src/utils.py +++ b/src/utils.py @@ -157,17 +157,20 @@ def sanitize_filename(filename: str) -> str: # Remove control characters and non-printable characters filename = re.sub(r'[\x00-\x1f\x7f]', '', filename) + + # remove potential $( ) and ${ } + filename = re.sub(r'\$[\(\{].*?[\)\}]', '', filename) + # remove any remaining $( or ${ + filename = filename.replace('$(', '').replace('${', '') + # Allow alphanumeric, underscore, hyphen, space, and dots # Remove other potentially dangerous characters. - filename = re.sub(r'[^a-zA-Z0-9_\-\.\ ]', '_', filename) + filename = re.sub(r'[^a-zA-Z0-9_\-\.\ ]', '', filename) # Remove consecutive dots to prevent directory traversal attempts like '..' filename = re.sub(r'\.{2,}', '.', filename) - # remove potential $( - filename = re.sub(r'\$\([\s\S]*?\)', '', filename) - # Ensure filename is not practically empty after sanitization if not filename.strip() or filename.strip().replace('.', '') == '': raise ValueError("Filename invalid after sanitization")