SteelDynamite/onyx-tasks
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix(core): sanitize task filenames to prevent path traversal

Browse source 
Replace illegal filesystem characters (/ \ : * ? " < > |) and control
characters with underscores. Fall back to task ID as filename if the
sanitized title is empty.
This commit is contained in:
Tristan Michael 2026-03-30 16:14:29 -07:00
parent 9333ac7825
commit a54e427cd9
1 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
crates/bevy-tasks-core/src/storage.rs
View file

@ -148,8 +148,26 @@ impl FileSystemStorage {
self.root_path.join(name) self.root_path.join(name)
} }
fn sanitize_filename(name: &str) -> String {
name.chars()
.map(|c| match c {
'/' | '\\' | ':' | '*' | '?' | '"' | '<' | '>' | '|' => '_',
'\0'..='\x1f' => '_',
_ => c,
})
.collect::<String>()
.trim_matches(|c: char| c == '.' || c == ' ')
.to_string()
}
fn task_file_path(&self, list_dir: &Path, task: &Task) -> PathBuf { fn task_file_path(&self, list_dir: &Path, task: &Task) -> PathBuf {
list_dir.join(format!("{}.md", task.title)) let safe_title = Self::sanitize_filename(&task.title);
let filename = if safe_title.is_empty() {
task.id.to_string()
} else {
safe_title
};
list_dir.join(format!("{}.md", filename))
} }
fn parse_markdown_with_frontmatter(&self, content: &str) -> Result<(TaskFrontmatter, String)> { fn parse_markdown_with_frontmatter(&self, content: &str) -> Result<(TaskFrontmatter, String)> {