From 24ffb82da8955f448f0959ac5d16e5ae46d9be44 Mon Sep 17 00:00:00 2001
From: Diamantis Sellis <diamantis.sellis@cosmotech.com>
Date: Thu, 21 Nov 2024 10:01:52 +0100
Subject: [PATCH] fix: check filenames as we do for destination paths

---
 .../com/cosmotech/workspace/service/WorkspaceServiceImpl.kt   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
index 8d629d190..7efa73e82 100644
--- a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
+++ b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
@@ -215,6 +215,10 @@ internal class WorkspaceServiceImpl(
       throw IllegalArgumentException("Invalid destination: '$destination'. '..' is not allowed")
     }
     val workspace = getVerifiedWorkspace(organizationId, workspaceId, PERMISSION_WRITE)
+    if (file?.filename?.contains("..") == true || file?.filename?.contains("/") == true) {
+      throw IllegalArgumentException(
+          "Invalid filename: '${file.filename}'. '..' and '/' are not allowed")
+    }
 
     logger.debug(
         "Uploading file resource to workspace #{} ({}): {} => {}",