fix(standard-server): invalid content-disposition with non-ASCII filenames

[dinwwwh]

Fixes #1498

Summary by CodeRabbit

• Bug Fixes
  • Improved handling of special characters and international (non-ASCII) characters in filenames during content disposition, ensuring proper escaping and RFC 5987 encoding compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated generateContentDisposition to sanitize non-ASCII characters in the ASCII filename parameter while preserving RFC 5987 percent-encoded UTF-8 filename\* parameter, fixing Content-Disposition header validation errors with non-ASCII filenames. Test coverage expanded from one case to four isolated test cases.

Changes

Cohort / File(s)

Summary

Content-Disposition filename sanitization packages/standard-server/src/utils.ts, packages/standard-server/src/utils.test.ts

Modified generateContentDisposition to replace non-printable ASCII characters ([^\x20-\x7E]) with underscores in the filename= parameter before escaping quotes, while maintaining RFC 5987 filename*=utf-8'' encoding. Test suite expanded from single case to four isolated test cases covering ASCII filenames, empty filenames, quote escaping, and non-ASCII (Japanese) filename handling with both filename and filename* validation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix(standard-server): handle empty filename during file deserialization #320: Modifies the same generateContentDisposition function implementation and related test cases for filename handling and edge-case coverage.

Suggested labels

bug, javascript

Poem

🐰 A rabbit's hop through headers wide,
Non-ASCII chars now sanitized with pride,
RFC 5987 keeps UTF-8 true,
While ASCII fallback sees us through,
No more invalid chars to vex,
Content flows perfectly perplexed! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR successfully implements the fix for issue #1498 by sanitizing non-ASCII characters in filename parameter while preserving RFC 5987 encoding in filename* parameter.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the generateContentDisposition function and its test suite to handle non-ASCII filenames, with no unrelated modifications.
Title check	✅ Passed	The title clearly identifies the primary change: fixing generateContentDisposition to handle non-ASCII filenames properly by sanitizing them in the filename parameter while maintaining RFC 5987 encoding in filename*.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug affecting file downloads and display when filenames contain non-ASCII characters. By refining the Content-Disposition header generation logic, it ensures that files with international characters are correctly handled by browsers and clients, preventing issues like corrupted filenames or failed downloads.

Highlights

• Content-Disposition Header Fix: Resolved an issue where Content-Disposition headers were invalid when filenames contained non-ASCII characters, ensuring proper file handling.
• Filename Encoding Logic: Implemented a new encoding strategy for generateContentDisposition where non-ASCII characters in the filename parameter are replaced with underscores, while the filename* parameter uses UTF-8 encoding.
• Test Coverage: Expanded test coverage for generateContentDisposition to include scenarios with non-ASCII filenames and refactored existing tests for better organization.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the tests for generateContentDisposition by organizing them into a describe block and adding a new test case for non-ASCII filenames. The generateContentDisposition function itself has been updated to handle non-ASCII characters in the filename parameter of the Content-Disposition header by replacing them with underscores, ensuring better compatibility while the filename* parameter continues to provide full UTF-8 encoding. There is no feedback to provide as no review comments were made.

[pkg-pr-new]

More templates

• @orpc/astro-playground
• @orpc/browser-extension-playground
• @orpc/bun-websocket-otel-playground
• @orpc/cloudflare-worker-playground
• @orpc/contract-first-playground
• @orpc/electron-playground
• @orpc/nest-playground
• @orpc/next-playground
• @orpc/nuxt-playground
• @orpc/solid-start-playground
• @orpc/svelte-kit-playground
• @orpc/tanstack-start-playground

@orpc/ai-sdk

npm i https://pkg.pr.new/@orpc/ai-sdk@1500

@orpc/arktype

npm i https://pkg.pr.new/@orpc/arktype@1500

@orpc/client

npm i https://pkg.pr.new/@orpc/client@1500

@orpc/contract

npm i https://pkg.pr.new/@orpc/contract@1500

@orpc/experimental-durable-iterator

npm i https://pkg.pr.new/@orpc/experimental-durable-iterator@1500

@orpc/hey-api

npm i https://pkg.pr.new/@orpc/hey-api@1500

@orpc/interop

npm i https://pkg.pr.new/@orpc/interop@1500

@orpc/json-schema

npm i https://pkg.pr.new/@orpc/json-schema@1500

@orpc/nest

npm i https://pkg.pr.new/@orpc/nest@1500

@orpc/openapi

npm i https://pkg.pr.new/@orpc/openapi@1500

@orpc/openapi-client

npm i https://pkg.pr.new/@orpc/openapi-client@1500

@orpc/otel

npm i https://pkg.pr.new/@orpc/otel@1500

@orpc/experimental-pino

npm i https://pkg.pr.new/@orpc/experimental-pino@1500

@orpc/experimental-publisher

npm i https://pkg.pr.new/@orpc/experimental-publisher@1500

@orpc/experimental-publisher-durable-object

npm i https://pkg.pr.new/@orpc/experimental-publisher-durable-object@1500

@orpc/experimental-ratelimit

npm i https://pkg.pr.new/@orpc/experimental-ratelimit@1500

@orpc/react

npm i https://pkg.pr.new/@orpc/react@1500

@orpc/react-query

npm i https://pkg.pr.new/@orpc/react-query@1500

@orpc/experimental-react-swr

npm i https://pkg.pr.new/@orpc/experimental-react-swr@1500

@orpc/server

npm i https://pkg.pr.new/@orpc/server@1500

@orpc/shared

npm i https://pkg.pr.new/@orpc/shared@1500

@orpc/solid-query

npm i https://pkg.pr.new/@orpc/solid-query@1500

@orpc/standard-server

npm i https://pkg.pr.new/@orpc/standard-server@1500

@orpc/standard-server-aws-lambda

npm i https://pkg.pr.new/@orpc/standard-server-aws-lambda@1500

@orpc/standard-server-fastify

npm i https://pkg.pr.new/@orpc/standard-server-fastify@1500

@orpc/standard-server-fetch

npm i https://pkg.pr.new/@orpc/standard-server-fetch@1500

@orpc/standard-server-node

npm i https://pkg.pr.new/@orpc/standard-server-node@1500

@orpc/standard-server-peer

npm i https://pkg.pr.new/@orpc/standard-server-peer@1500

@orpc/svelte-query

npm i https://pkg.pr.new/@orpc/svelte-query@1500

@orpc/tanstack-query

npm i https://pkg.pr.new/@orpc/tanstack-query@1500

@orpc/trpc

npm i https://pkg.pr.new/@orpc/trpc@1500

@orpc/valibot

npm i https://pkg.pr.new/@orpc/valibot@1500

@orpc/vue-colada

npm i https://pkg.pr.new/@orpc/vue-colada@1500

@orpc/vue-query

npm i https://pkg.pr.new/@orpc/vue-query@1500

@orpc/zod

npm i https://pkg.pr.new/@orpc/zod@1500

commit: 8d1caaf

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!