Skip to content

[Security] Sanitize custom filename input to prevent path traversal #141

Closed
Closed
[Security] Sanitize custom filename input to prevent path traversal#141
Assignees
wei123-web
Labels
gssoc'26GirlScript Summer of Code 2026gssoc:approvedApproved for GSSoC'26level:beginnerBeginner level - 20 ptsquality:cleanWell-implemented, clean codetype:securitySecuritytype:testingTesting
@magic-peach

Description

@magic-peach
magic-peach
opened on May 13, 2026

Overview

When users can specify a custom filename for the downloaded video (once implemented), the filename input must be sanitized to prevent path traversal characters and invalid filename characters.

Risk

Characters like ../, /, \, :, *, ?, ", <, >, | are invalid in filenames on various OS.

Proposed Solution

const sanitizeFilename = (name: string): string => {
  return name
    .replace(/[<>:"/\\|?*]/g, '') // Remove invalid chars
    .replace(/\.\.+/g, '.') // No path traversal
    .trim()
    .slice(0, 100) // Max length
    || 'output' // Fallback
}

Acceptance Criteria

  • Sanitization function created and tested
  • Applied to all filename outputs
  • Unit tests for sanitization edge cases

Metadata

Metadata

Assignees

Labels

gssoc'26GirlScript Summer of Code 2026gssoc:approvedApproved for GSSoC'26level:beginnerBeginner level - 20 ptsquality:cleanWell-implemented, clean codetype:securitySecuritytype:testingTesting

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions