Managed Files: Sanitized file name before downloading (#12406)

Maffooch · web-flow · commit bec9e0db5f1a · 2025-05-09T15:13:15.000-05:00
diff --git a/dojo/utils.py b/dojo/utils.py
@@ -2629,9 +2629,11 @@ def generate_file_response(file_object: FileUpload) -> FileResponse:
         raise TypeError(msg)
     # Determine the path of the file on disk within the MEDIA_ROOT
     file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
+    # Clean the title by removing some problematic characters
+    cleaned_file_name = re.sub(r'[<>:"/\\|?*`=\'&%#;]', "-", file_object.title)
 
     return generate_file_response_from_file_path(
-        file_path, file_name=file_object.title, file_size=file_object.file.size,
+        file_path, file_name=cleaned_file_name, file_size=file_object.file.size,
     )
 
 
diff --git a/unittests/test_rest_framework.py b/unittests/test_rest_framework.py
@@ -2,6 +2,7 @@
 import json
 import logging
 import pathlib
+import re
 from collections import OrderedDict
 from enum import Enum
 from json import dumps
@@ -1141,6 +1142,31 @@ def test_request_response_get(self):
             response = self.client.get(f"/api/v2/{level}/files/")
             self.assertEqual(200, response.status_code)
 
+    def test_file_with_quoted_name(self):
+        level = "findings/7"
+        with (get_unit_tests_scans_path("acunetix") / "one_finding.xml").open(encoding="utf-8") as testfile:
+            # Create a new file first
+            payload = {
+                "title": 'A file "title" with Quotes & other bad chars #broken',
+                "file": testfile,
+            }
+            response = self.client.post(f"/api/v2/{level}/files/", payload)
+            self.assertEqual(201, response.status_code, response.data)
+            file_id = response.data.get("id")
+
+        # Download the file and ensure the content is accurate
+        response = self.client.get(f"/api/v2/{level}/files/download/{file_id}/")
+        downloaded_file = b"".join(response.streaming_content).decode().replace("\\n", "\n")
+        file_data = (get_unit_tests_scans_path("acunetix") / "one_finding.xml").read_text(encoding="utf-8")
+        self.assertEqual(file_data, downloaded_file)
+        # Check the name of the file is correct
+        if (match := re.search(r'filename="?(?P<filename>[^";]+)"?', response.get("Content-Disposition"))):
+            filename = match.group("filename")
+            self.assertEqual(filename, "A file -title- with Quotes - other bad chars -broken.xml")
+        else:
+            msg = "Content-Disposition header must contain the filename parameter"
+            raise NotImplementedError(msg)
+
 
 class FindingsTest(BaseClass.BaseClassTest):
     fixtures = ["dojo_testdata.json"]
