Merge pull request #2599 from overleaf/bg-fix-safepath-check

fix safepath check

GitOrigin-RevId: b5bb636d2bd958ab142fa94683ad9cf58369a77d

services/web/app/src/Features/Project/SafePath.js

@@ -89,8 +89,8 @@ prototype\
     isCleanFilename(filename) {
       return (
         SafePath.isAllowedLength(filename) &&
-        !BADCHAR_RX.test(filename) &&
-        !BADFILE_RX.test(filename)
+        !filename.match(BADCHAR_RX) &&
+        !filename.match(BADFILE_RX)
       )
     },
 

services/web/frontend/js/ide/directives/SafePath.js

@@ -86,8 +86,8 @@ prototype\
     isCleanFilename(filename) {
       return (
         SafePath.isAllowedLength(filename) &&
-        !BADCHAR_RX.test(filename) &&
-        !BADFILE_RX.test(filename)
+        !filename.match(BADCHAR_RX) &&
+        !filename.match(BADFILE_RX)
       )
     },
 

services/web/test/unit/src/Project/SafePathTests.js

@@ -112,6 +112,18 @@ describe('SafePath', function() {
       const result = this.SafePath.isCleanFilename('foo\\bar')
       return result.should.equal(false)
     })
+
+    it('should reject filenames regardless of order  (/g) for bad characters', function() {
+      const result1 = this.SafePath.isCleanFilename('foo*bar.tex') // * is not allowed
+      const result2 = this.SafePath.isCleanFilename('*foobar.tex') // bad char location is before previous match
+      return result1.should.equal(false) && result2.should.equal(false)
+    })
+
+    it('should reject filenames regardless of order (/g) for bad filenames', function() {
+      const result1 = this.SafePath.isCleanFilename('foo ') // trailing space
+      const result2 = this.SafePath.isCleanFilename(' foobar') // leading space, match location is before previous match
+      return result1.should.equal(false) && result2.should.equal(false)
+    })
   })
 
   describe('isCleanPath', function() {