From 78bce0e29df8b839bb4930fef08068254587d211 Mon Sep 17 00:00:00 2001
From: Philip Okugbe <16838612+Philipinho@users.noreply.github.com>
Date: Mon, 28 Jul 2025 18:17:06 +0100
Subject: [PATCH] fix: validate public avatar path (#1416)

---
 apps/server/src/core/attachment/attachment.controller.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/server/src/core/attachment/attachment.controller.ts b/apps/server/src/core/attachment/attachment.controller.ts
index 160d950b..6424174f 100644
--- a/apps/server/src/core/attachment/attachment.controller.ts
+++ b/apps/server/src/core/attachment/attachment.controller.ts
@@ -50,6 +50,7 @@ import { validate as isValidUUID } from 'uuid';
 import { EnvironmentService } from '../../integrations/environment/environment.service';
 import { TokenService } from '../auth/services/token.service';
 import { JwtAttachmentPayload, JwtType } from '../auth/dto/jwt-payload';
+import * as path from 'path';
 
 @Controller()
 export class AttachmentController {
@@ -356,6 +357,11 @@ export class AttachmentController {
       throw new BadRequestException('Invalid image attachment type');
     }
 
+    const filenameWithoutExt = path.basename(fileName, path.extname(fileName));
+    if (!isValidUUID(filenameWithoutExt)) {
+      throw new BadRequestException('Invalid file id');
+    }
+
     const filePath = `${getAttachmentFolderPath(attachmentType, workspace.id)}/${fileName}`;
 
     try {