fix(storage): sanitize file.originalname before use in storage path

[aaniya22]

Closes #261

Problem

In uploadFile, file.originalname was only having spaces replaced
with underscores before being used in the Supabase storage path. Characters
like ../, null bytes (%00), and Unicode directory separators were not
stripped, allowing path injection via a crafted filename.

Fix

Replaced the single space-strip with a three-step sanitization:

1. Strip any character that is not alphanumeric, ., -, or _
2. Collapse consecutive dots to prevent .. traversal sequences
3. Truncate to 100 characters to prevent oversized path segments

Changes

• apps/public-api/src/controllers/storage.controller.js: updated
  safeName construction in uploadFile

Summary by CodeRabbit

• Bug Fixes
  • Improved file name sanitization during uploads to prevent issues with special characters and ensure consistent naming conventions.

[coderabbitai]

Ready to act? Review this PR in Change Stack to turn feedback into patch suggestions you can inspect and refine.

Warning

Review limit reached

@aaniya22, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 50 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 09c8ae60-fbf1-4b40-b85c-70aa76bf0591

📥 Commits

Reviewing files that changed from the base of the PR and between 0e33648 and 4251806.

📒 Files selected for processing (2)

• apps/public-api/src/__tests__/storage.controller.test.js
• apps/public-api/src/controllers/storage.controller.js

📝 Walkthrough

Walkthrough

The storage controller's uploadFile function hardens filename sanitization by replacing the simple whitespace-only normalization with a comprehensive allowlist-based sanitizer that strips path injection characters, collapses repeated dots, and enforces a maximum filename length before constructing storage paths.

Changes

File Upload Filename Sanitization

Layer / File(s)	Summary
Stricter filename sanitization in uploadFile apps/public-api/src/controllers/storage.controller.js	The safeName derivation now enforces an alphanumeric-plus-dot-hyphen-underscore allowlist, collapses repeated dots, and truncates to 100 characters before composing the filePath sent to storage, closing a path injection surface.

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A fluffy fix for files so bright,
Strips path injection left and right,
../ schemes now fade away,
Thumper's uploads here to stay! 🐰📁

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: sanitizing file.originalname before using it in storage paths, directly addressing the security fix.
Linked Issues check	✅ Passed	The code changes implement all three sanitization steps required by issue #261: removing non-alphanumeric characters, collapsing consecutive dots, and truncating to 100 characters.
Out of Scope Changes check	✅ Passed	All changes are directly related to sanitizing file.originalname in the uploadFile function as specified in issue #261; no out-of-scope modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/public-api/src/controllers/storage.controller.js`:
- Around line 132-135: The sanitization at lines where safeName is computed is
more robust than the one used in the presigned upload-request path; factor the
logic into a shared helper (e.g., normalizeFilename or sanitizeFilename) that
applies the same transformations (replace non [a-zA-Z0-9._-] with "_", collapse
multiple dots, truncate to 100 chars, etc.) and call this helper wherever
filenames are accepted (the code that computes safeName and the presigned
upload-request handler that currently does simple whitespace replacement) so
both upload flows produce identical, safe object keys.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a8746636-197c-481f-9f2d-00d1d0e2e4d5

📥 Commits

Reviewing files that changed from the base of the PR and between b40bd78 and 0e33648.

📒 Files selected for processing (1)

• apps/public-api/src/controllers/storage.controller.js

[yash-pouranik]

@Nitin-kumar-yadav1307
LGTM

[yash-pouranik]

Thank you for the PR
@aaniya22
Hope to see more contributions from u
Please star the Repo.