Skip to content

[Security/Medium]: Filename Sanitization Does Not Strip Control Characters #9126

Open
Open
[Security/Medium]: Filename Sanitization Does Not Strip Control Characters#9126
Assignees
pablohashescobar
@sulthonzh

Description

@sulthonzh
sulthonzh
opened on May 24, 2026

Description

The sanitize_filename() function in apps/api/plane/utils/path_validator.py does not strip control characters (e.g., \t, \n, \r, \v, \f) from user-provided filenames. This function is used when generating S3 object keys for file uploads (user avatars, workspace logos, project covers, etc.).

Steps to Reproduce

  1. Send a POST request to /api/v2/workspace/:slug/asset-upload/ with a filename containing control characters: 
    curl -X POST https://plane.so/api/v2/workspace/test/asset-upload/ \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d {

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions