From 2b64d64f80049def751bb13cda0bb2f3acbc996a Mon Sep 17 00:00:00 2001
From: grngxd <36968271+grngxd@users.noreply.github.com>
Date: Mon, 9 Jun 2025 23:11:32 +0100
Subject: [PATCH] sanitise file name

---
 internal/api/routes/files.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/internal/api/routes/files.go b/internal/api/routes/files.go
index 0d987f4..a345fdf 100644
--- a/internal/api/routes/files.go
+++ b/internal/api/routes/files.go
@@ -114,12 +114,31 @@ func RegisterFileRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 
 	api.GET("/:name", func(c *gin.Context) {
 		name := c.Param("name")
+		name = strings.TrimSpace(name)
+
+		safe := ""
+		for _, r := range name {
+			if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
+				(r >= '0' && r <= '9') || r == '_' || r == '.' || r == '-' {
+				safe += string(r)
+			} else {
+				safe += "_"
+			}
+		}
+		name = safe
+
 		parts := strings.SplitN(name, "_", 2)
 		if len(parts) != 2 {
 			c.JSON(400, gin.H{"error": "invalid file name"})
 			return
 		}
+
 		uid, filename := parts[0], parts[1]
+		if uid == "" || filename == "" {
+			c.JSON(400, gin.H{"error": "invalid file name"})
+			return
+		}
+
 		path := filepath.Join(cfg.ImagePath, uid, filename)
 		if _, err := os.Stat(path); err != nil {
 			c.JSON(404, gin.H{"error": "file not found"})