Fix validation of filenames with special characters

Resolves #864
biigle · Jun 27, 2024 · bd7f976 · bd7f976
1 parent 98a64c4
commit bd7f976
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/app/Rules/VolumeFiles.php b/app/Rules/VolumeFiles.php
@@ -90,13 +90,18 @@ public function passes($attribute, $value)
             return false;
         }
 
-        $lengths = array_map('strlen', $value);
-        $tooLong = array_filter($lengths, fn ($l) => $l > self::FILENAME_MAX_LENGTH);
+        foreach ($value as $filename) {
+            if (strlen($filename) > self::FILENAME_MAX_LENGTH) {
+                $this->message = 'A filename must not be longer than '.self::FILENAME_MAX_LENGTH.' characters.';
 
-        if (!empty($tooLong)) {
-            $this->message = 'A filename must not be longer than '.self::FILENAME_MAX_LENGTH.' characters.';
+                return false;
+            }
 
-            return false;
+            if (preg_match('/[\t\r\n\f]/', $filename) !== 0) {
+                $this->message = 'A filename must not contain characters such as newline or tab.';
+
+                return false;
+            }
         }
 
         if ($this->typeId === MediaType::imageId()) {

diff --git a/tests/php/Rules/VolumeFilesTest.php b/tests/php/Rules/VolumeFilesTest.php
@@ -81,6 +81,18 @@ public function testCheckVideoFilesExist()
         Storage::disk('test')->put('videos/2.mp4', 'abc');
         $this->assertTrue($validator->passes(null, ['1.mp4', '2.mp4']));
     }
+
+    public function testDenySpecialCharacters()
+    {
+        $validator = new VolumeFilesStub('', MediaType::imageId());
+        $this->assertFalse($validator->passes(null, ["my-\r\nimage.jpg"]));
+    }
+
+    public function testAllowSpaces()
+    {
+        $validator = new VolumeFilesStub('', MediaType::imageId());
+        $this->assertTrue($validator->passes(null, ["my image.jpg"]));
+    }
 }
 
 class VolumeFilesStub extends VolumeFiles