Description
The sanitize_filename() function in apps/api/plane/utils/path_validator.py does not strip control characters (e.g., tab, newline, carriage return) from user-provided filenames. This function is used when generating S3 object keys for file uploads.
Steps to Reproduce
- Send a POST request to asset upload endpoint with a filename containing control characters
- The filename with control characters will be used directly in the S3 object key
Impact
Control characters in S3 object keys can cause storage inconsistencies, display issues in AWS console, API compatibility problems, and obfuscate filenames in logs making security investigations difficult.
Affected Code
apps/api/plane/utils/path_validator.py line 16: filename = filename.replace("\x00", "") - only strips null bytes, not other control characters
Suggested Fix
Add a line to strip all control characters:
filename = "".join(char for char in filename if not (ord(char) < 32 or ord(char) == 127))
This removes ASCII control characters (0-31 and 127) while preserving printable characters and Unicode.
Environment
- Version: Latest
- Python: 3.11+
- Django: 4.2+
Description
The sanitize_filename() function in apps/api/plane/utils/path_validator.py does not strip control characters (e.g., tab, newline, carriage return) from user-provided filenames. This function is used when generating S3 object keys for file uploads.
Steps to Reproduce
Impact
Control characters in S3 object keys can cause storage inconsistencies, display issues in AWS console, API compatibility problems, and obfuscate filenames in logs making security investigations difficult.
Affected Code
apps/api/plane/utils/path_validator.py line 16: filename = filename.replace("\x00", "") - only strips null bytes, not other control characters
Suggested Fix
Add a line to strip all control characters:
filename = "".join(char for char in filename if not (ord(char) < 32 or ord(char) == 127))
This removes ASCII control characters (0-31 and 127) while preserving printable characters and Unicode.
Environment