All filenames should only include [a-zA-Z0-9] and -_..
We need a CI enforcement for this. I think we can enforce this globally on this repo as the easiest way of achieving it.
(cc @ErikSchierboom @SaschaMann as candidates for GHA magic :))
Could be combined with #1369.
One can more or less copy this step from the file size check and replace the if condition with some regex check that the $FILE only contains those characters.
I know you mentioned it before, but I don't know where: what's the reason for this restriction again?
Mitigating things like directory traversal attacks. As the files are written to the OS with the names they are submitted with, we need to limit characters to protect us from a range of attacks. Ideally we'd not allow user-input to be written to the OS, but we don't really have a choice as files' contents can be (and are in many languages) tightly coupled to their names.
Most helpful comment
Mitigating things like directory traversal attacks. As the files are written to the OS with the names they are submitted with, we need to limit characters to protect us from a range of attacks. Ideally we'd not allow user-input to be written to the OS, but we don't really have a choice as files' contents can be (and are in many languages) tightly coupled to their names.