chore: sanitize filename

C4illin · C4illin · commit c1b75a13fd1c · 2025-03-04T09:23:06.000+01:00
diff --git a/bun.lock b/bun.lock
diff --git a/package.json b/package.json
@@ -17,7 +17,8 @@
     "@elysiajs/jwt": "^1.2.0",
     "@elysiajs/static": "^1.2.0",
     "@kitajs/html": "^4.2.7",
-    "elysia": "^1.2.12"
+    "elysia": "^1.2.12",
+    "sanitize-filename": "^1.6.3"
   },
   "module": "src/index.tsx",
   "type": "module",
diff --git a/src/index.tsx b/src/index.tsx
@@ -7,6 +7,7 @@ import { jwt, type JWTPayloadSpec } from "@elysiajs/jwt";
 import { staticPlugin } from "@elysiajs/static";
 import { Database } from "bun:sqlite";
 import { Elysia, t } from "elysia";
+import sanitize from "sanitize-filename";
 import { BaseHtml } from "./components/base";
 import { Header } from "./components/header";
 import {
@@ -886,6 +887,10 @@ const app = new Elysia({
       const converterName = body.convert_to.split(",")[1];
       const fileNames = JSON.parse(body.file_names) as string[];
 
+      for (let i = 0; i < fileNames.length; i++) {
+        fileNames[i] = sanitize(fileNames[i] || "");
+      }
+
       if (!Array.isArray(fileNames) || fileNames.length === 0) {
         return redirect(`${WEBROOT}/`, 302);
       }
@@ -1411,7 +1416,7 @@ const app = new Elysia({
       // parse from url encoded string
       const userId = decodeURIComponent(params.userId);
       const jobId = decodeURIComponent(params.jobId);
-      const fileName = decodeURIComponent(params.fileName);
+      const fileName = sanitize(decodeURIComponent(params.fileName));
 
       const filePath = `${outputDir}${userId}/${jobId}/${fileName}`;
       return Bun.file(filePath);
