From b097cfcbc02c722b0110bb928781cf4144b9ca5d Mon Sep 17 00:00:00 2001
From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com>
Date: Wed, 25 Feb 2026 22:30:26 +0700
Subject: [PATCH] Clean file path names on file creation (#624)

---
 internal/db/gist.go                  | 18 ++++++++------
 internal/git/file.go                 | 19 +++++++++++++++
 internal/web/handlers/gist/create.go | 35 ++++++++++++++--------------
 3 files changed, 47 insertions(+), 25 deletions(-)
 create mode 100644 internal/git/file.go

diff --git a/internal/db/gist.go b/internal/db/gist.go
index 9b7bc19..2a62c69 100644
--- a/internal/db/gist.go
+++ b/internal/db/gist.go
@@ -720,13 +720,17 @@ func (gist *Gist) ToDTO() (*GistDTO, error) {
 // -- DTO -- //
 
 type GistDTO struct {
-	Title       string    `validate:"max=250" form:"title"`
-	Description string    `validate:"max=1000" form:"description"`
-	URL         string    `validate:"max=32,alphanumdashorempty" form:"url"`
-	Files       []FileDTO `validate:"min=1,dive"`
-	Name        []string  `form:"name"`
-	Content     []string  `form:"content"`
-	Topics      string    `validate:"gisttopics" form:"topics"`
+	Title              string    `validate:"max=250" form:"title"`
+	Description        string    `validate:"max=1000" form:"description"`
+	URL                string    `validate:"max=32,alphanumdashorempty" form:"url"`
+	Files              []FileDTO `validate:"min=1,dive"`
+	Name               []string  `form:"name"`
+	Content            []string  `form:"content"`
+	Topics             string    `validate:"gisttopics" form:"topics"`
+	UploadedFilesUUID  []string  `validate:"omitempty,dive,required,uuid" form:"uploadedfile_uuid"`
+	UploadedFilesNames []string  `validate:"omitempty,dive,required" form:"uploadedfile_filename"`
+	BinaryFileOldName  []string  `form:"binary_old_name"`
+	BinaryFileNewName  []string  `form:"binary_new_name"`
 	VisibilityDTO
 }
 
diff --git a/internal/git/file.go b/internal/git/file.go
new file mode 100644
index 0000000..22da66f
--- /dev/null
+++ b/internal/git/file.go
@@ -0,0 +1,19 @@
+package git
+
+import (
+	"path/filepath"
+	"strings"
+)
+
+func CleanTreePathName(s string) string {
+	name := filepath.Base(s)
+
+	if name == "." || name == ".." {
+		return ""
+	}
+
+	name = strings.ReplaceAll(name, "/", "")
+	name = strings.ReplaceAll(name, "\\", "")
+
+	return name
+}
diff --git a/internal/web/handlers/gist/create.go b/internal/web/handlers/gist/create.go
index 1082eab..26a8493 100644
--- a/internal/web/handlers/gist/create.go
+++ b/internal/web/handlers/gist/create.go
@@ -24,11 +24,6 @@ func Create(ctx *context.Context) error {
 func ProcessCreate(ctx *context.Context) error {
 	isCreate := ctx.Request().URL.Path == "/"
 
-	err := ctx.Request().ParseForm()
-	if err != nil {
-		return ctx.ErrorRes(400, ctx.Tr("error.bad-request"), err)
-	}
-
 	dto := new(db.GistDTO)
 	var gist *db.Gist
 
@@ -39,25 +34,24 @@ func ProcessCreate(ctx *context.Context) error {
 		ctx.SetData("htmlTitle", ctx.TrH("gist.edit.edit-gist", gist.Title))
 	}
 
-	if err := ctx.Bind(dto); err != nil {
+	err := ctx.Bind(dto)
+	if err != nil {
 		return ctx.ErrorRes(400, ctx.Tr("error.cannot-bind-data"), err)
 	}
 
 	dto.Files = make([]db.FileDTO, 0)
-	fileCounter := 0
 
-	names := ctx.Request().PostForm["name"]
-	contents := ctx.Request().PostForm["content"]
+	names := dto.Name
+	contents := dto.Content
 
 	// Process files from text editors
 	for i, content := range contents {
 		if content == "" {
 			continue
 		}
-		name := names[i]
+		name := git.CleanTreePathName(names[i])
 		if name == "" {
-			fileCounter += 1
-			name = "gistfile" + strconv.Itoa(fileCounter) + ".txt"
+			name = "gistfile" + strconv.Itoa(len(dto.Files)+1) + ".txt"
 		}
 
 		escapedValue, err := url.PathUnescape(content)
@@ -72,8 +66,8 @@ func ProcessCreate(ctx *context.Context) error {
 	}
 
 	// Process uploaded files from UUID arrays
-	fileUUIDs := ctx.Request().PostForm["uploadedfile_uuid"]
-	fileFilenames := ctx.Request().PostForm["uploadedfile_filename"]
+	fileUUIDs := dto.UploadedFilesUUID
+	fileFilenames := dto.UploadedFilesNames
 	if len(fileUUIDs) == len(fileFilenames) {
 		for i, fileUUID := range fileUUIDs {
 			filePath := filepath.Join(filepath.Join(config.GetHomeDir(), "uploads"), fileUUID)
@@ -82,8 +76,13 @@ func ProcessCreate(ctx *context.Context) error {
 				continue
 			}
 
+			name := git.CleanTreePathName(fileFilenames[i])
+			if name == "" {
+				name = "gistfile" + strconv.Itoa(len(dto.Files)+1) + ".txt"
+			}
+
 			dto.Files = append(dto.Files, db.FileDTO{
-				Filename:   fileFilenames[i],
+				Filename:   name,
 				SourcePath: filePath,
 				Content:    "", // Empty since we're using SourcePath
 			})
@@ -91,11 +90,11 @@ func ProcessCreate(ctx *context.Context) error {
 	}
 
 	// Process binary file operations (edit mode)
-	binaryOldNames := ctx.Request().PostForm["binary_old_name"]
-	binaryNewNames := ctx.Request().PostForm["binary_new_name"]
+	binaryOldNames := dto.BinaryFileOldName
+	binaryNewNames := dto.BinaryFileNewName
 	if len(binaryOldNames) == len(binaryNewNames) {
 		for i, oldName := range binaryOldNames {
-			newName := binaryNewNames[i]
+			newName := git.CleanTreePathName(binaryNewNames[i])
 
 			if newName == "" { // deletion
 				continue