fix(media): strip control and bidi characters from outbound filenames

masatohoshino · masatohoshino · commit 654cf20737f3 · 2026-04-27T17:06:40.000Z
Outbound media filenames flow from two untrusted sources into channel adapters
(Telegram, Discord, Matrix, WhatsApp): HTTP `Content-Disposition` headers
parsed in `fetchRemoteMedia`, and URL pathnames extracted in
`loadWebMediaInternal`. Both paths previously called `path.basename(...)`
with no further sanitization, leaving C0/C1 control bytes, zero-width joiners,
and bidi formatting characters in the filename that downstream channels
forwarded verbatim.

This adds a `stripFilenameControlChars` helper in `src/media/outbound-filename.ts`
that removes the union of those invisible ranges (U+0000-U+001F, U+007F-U+009F,
U+200B-U+200D, U+202A-U+202E, U+2066-U+2069, U+FEFF) and applies it at the two
root extraction sites. All other Unicode is preserved, so legitimate Japanese,
Cyrillic, Arabic, etc. filenames pass through unchanged. Defense-in-depth: the
operating systems on the receiving end already enforce the real extension via
content sniffing, so this only closes the visual-display gap.

The new file is named to avoid colliding with the three existing
`sanitize{File,Filename}` helpers in `store.ts`, `file-context.ts`, and
`server.ts`, each of which has a different purpose (cross-platform path
safety, LLM prompt attribute escaping, HTTP header attachment escaping).
diff --git a/src/media/fetch.test.ts b/src/media/fetch.test.ts
@@ -320,4 +320,28 @@ describe("fetchRemoteMedia", () => {
       }),
     );
   });
+
+  it("strips invisible / bidi characters from Content-Disposition filenames", async () => {
+    // Headers can only carry ByteString values, so the bidi RLO (U+202E) and
+    // zero-width space (U+200B) ride in via the RFC 5987 `filename*` form as
+    // UTF-8 percent-escapes (%E2%80%AE / %E2%80%8B).
+    const fetchImpl = vi.fn(
+      async () =>
+        new Response(makeStream([new Uint8Array([1, 2, 3])]), {
+          status: 200,
+          headers: {
+            "content-disposition": "attachment; filename*=UTF-8''report%E2%80%AEgpj%E2%80%8B.exe",
+          },
+        }),
+    );
+
+    const result = await fetchRemoteMedia({
+      url: "https://example.com/file.bin",
+      fetchImpl,
+      lookupFn: makeLookupFn(),
+      maxBytes: 1024,
+    });
+
+    expect(result.fileName).toBe("reportgpj.exe");
+  });
 });
diff --git a/src/media/fetch.ts b/src/media/fetch.ts
@@ -8,6 +8,7 @@ import {
 import type { LookupFn, PinnedDispatcherPolicy, SsrFPolicy } from "../infra/net/ssrf.js";
 import { redactSensitiveText } from "../logging/redact.js";
 import { detectMime, extensionForMime } from "./mime.js";
+import { stripFilenameControlChars } from "./outbound-filename.js";
 import { readResponseTextSnippet, readResponseWithLimit } from "./read-response-with-limit.js";
 
 type FetchMediaResult = {
@@ -69,14 +70,14 @@ function parseContentDispositionFileName(header?: string | null): string | undef
     const cleaned = stripQuotes(starMatch[1].trim());
     const encoded = cleaned.split("''").slice(1).join("''") || cleaned;
     try {
-      return path.basename(decodeURIComponent(encoded));
+      return stripFilenameControlChars(path.basename(decodeURIComponent(encoded)));
     } catch {
-      return path.basename(encoded);
+      return stripFilenameControlChars(path.basename(encoded));
     }
   }
   const match = /filename\s*=\s*([^;]+)/i.exec(header);
   if (match?.[1]) {
-    return path.basename(stripQuotes(match[1].trim()));
+    return stripFilenameControlChars(path.basename(stripQuotes(match[1].trim())));
   }
   return undefined;
 }
diff --git a/src/media/outbound-filename.test.ts b/src/media/outbound-filename.test.ts
@@ -0,0 +1,69 @@
+import { describe, expect, it } from "vitest";
+import { stripFilenameControlChars } from "./outbound-filename.js";
+
+const c = (code: number): string => String.fromCharCode(code);
+
+describe("stripFilenameControlChars", () => {
+  it("returns plain ASCII filenames unchanged", () => {
+    expect(stripFilenameControlChars("report.pdf")).toBe("report.pdf");
+    expect(stripFilenameControlChars("a.b-c_d.tar.gz")).toBe("a.b-c_d.tar.gz");
+  });
+
+  it("preserves non-ASCII letters and digits", () => {
+    expect(stripFilenameControlChars("日本語_2025.pdf")).toBe("日本語_2025.pdf");
+    expect(stripFilenameControlChars("отчет.docx")).toBe("отчет.docx");
+    expect(stripFilenameControlChars("ملف.pdf")).toBe("ملف.pdf");
+  });
+
+  it.each([
+    { name: "C0 control NUL", code: 0x0000 },
+    { name: "C0 control TAB", code: 0x0009 },
+    { name: "C0 control LF", code: 0x000a },
+    { name: "C0 control CR", code: 0x000d },
+    { name: "C0 control US", code: 0x001f },
+    { name: "DEL", code: 0x007f },
+    { name: "C1 control PAD", code: 0x0080 },
+    { name: "C1 control APC", code: 0x009f },
+    { name: "ZWSP", code: 0x200b },
+    { name: "ZWNJ", code: 0x200c },
+    { name: "ZWJ", code: 0x200d },
+    { name: "LRE", code: 0x202a },
+    { name: "RLE", code: 0x202b },
+    { name: "PDF", code: 0x202c },
+    { name: "LRO", code: 0x202d },
+    { name: "RLO", code: 0x202e },
+    { name: "LRI", code: 0x2066 },
+    { name: "RLI", code: 0x2067 },
+    { name: "FSI", code: 0x2068 },
+    { name: "PDI", code: 0x2069 },
+    { name: "BOM / ZWNBSP", code: 0xfeff },
+  ] as const)("strips $name", ({ code }) => {
+    const input = `pre${c(code)}post.txt`;
+    expect(stripFilenameControlChars(input)).toBe("prepost.txt");
+  });
+
+  it("collapses bidi-spoofed extensions to their visible byte order", () => {
+    // "report" + RLO + "gpj.exe" displays as "reportexe.jpg" on bidi-aware
+    // clients but the underlying bytes end in .exe. After stripping RLO the
+    // visible name matches the bytes.
+    const input = `report${c(0x202e)}gpj.exe`;
+    expect(stripFilenameControlChars(input)).toBe("reportgpj.exe");
+  });
+
+  it("returns an empty string when every character is stripped", () => {
+    const allControl = `${c(0x0000)}${c(0x202e)}${c(0xfeff)}${c(0x200b)}`;
+    expect(stripFilenameControlChars(allControl)).toBe("");
+  });
+
+  it("returns an empty string for empty input", () => {
+    expect(stripFilenameControlChars("")).toBe("");
+  });
+
+  it("leaves printable Unicode outside the strip ranges intact", () => {
+    // U+200E (LRM), U+200F (RLM), and U+202F (NARROW NO-BREAK SPACE) sit
+    // just outside the strip ranges; preserve them so this helper does not
+    // silently drift into broader filename normalization.
+    const input = `a${c(0x200e)}b${c(0x200f)}c${c(0x202f)}d`;
+    expect(stripFilenameControlChars(input)).toBe(input);
+  });
+});
diff --git a/src/media/outbound-filename.ts b/src/media/outbound-filename.ts
@@ -0,0 +1,13 @@
+// Strips invisible / formatting characters from filenames carried over
+// untrusted boundaries (HTTP Content-Disposition, URL pathname). The pattern
+// is built via the RegExp constructor so the source file stays plain ASCII.
+//   - C0/C1 control: U+0000-U+001F, U+007F-U+009F
+//   - Zero-width:    U+200B-U+200D, U+FEFF
+//   - Bidi format:   U+202A-U+202E, U+2066-U+2069
+const FILENAME_INVISIBLE_CONTROL_PATTERN =
+  "[\\u0000-\\u001F\\u007F-\\u009F\\u200B-\\u200D\\u202A-\\u202E\\u2066-\\u2069\\uFEFF]";
+const FILENAME_INVISIBLE_CONTROL_RE = new RegExp(FILENAME_INVISIBLE_CONTROL_PATTERN, "g");
+
+export function stripFilenameControlChars(value: string): string {
+  return value.replace(FILENAME_INVISIBLE_CONTROL_RE, "");
+}
diff --git a/src/media/web-media.ts b/src/media/web-media.ts
@@ -28,6 +28,7 @@ import {
   mimeTypeFromFilePath,
   normalizeMimeType,
 } from "./mime.js";
+import { stripFilenameControlChars } from "./outbound-filename.js";
 
 export { getDefaultLocalRoots, LocalMediaAccessError };
 export type { LocalMediaAccessErrorCode };
@@ -552,7 +553,7 @@ async function loadWebMediaInternal(
       buffer: data,
     });
   }
-  let fileName = path.basename(mediaUrl) || undefined;
+  let fileName = stripFilenameControlChars(path.basename(mediaUrl)) || undefined;
   if (fileName && !path.extname(fileName) && mime) {
     const ext = extensionForMime(mime);
     if (ext) {

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import {`
`8`	`8`	`import type { LookupFn, PinnedDispatcherPolicy, SsrFPolicy } from "../infra/net/ssrf.js";`
`9`	`9`	`import { redactSensitiveText } from "../logging/redact.js";`
`10`	`10`	`import { detectMime, extensionForMime } from "./mime.js";`
	`11`	`+import { stripFilenameControlChars } from "./outbound-filename.js";`
`11`	`12`	`import { readResponseTextSnippet, readResponseWithLimit } from "./read-response-with-limit.js";`
`12`	`13`
`13`	`14`	`type FetchMediaResult = {`
`@@ -69,14 +70,14 @@ function parseContentDispositionFileName(header?: string \| null): string \| undef`
`69`	`70`	`const cleaned = stripQuotes(starMatch[1].trim());`
`70`	`71`	`const encoded = cleaned.split("''").slice(1).join("''") \|\| cleaned;`
`71`	`72`	`try {`
`72`		`- return path.basename(decodeURIComponent(encoded));`
	`73`	`+ return stripFilenameControlChars(path.basename(decodeURIComponent(encoded)));`
`73`	`74`	`} catch {`
`74`		`- return path.basename(encoded);`
	`75`	`+ return stripFilenameControlChars(path.basename(encoded));`
`75`	`76`	`}`
`76`	`77`	`}`
`77`	`78`	`const match = /filename\s=\s([^;]+)/i.exec(header);`
`78`	`79`	`if (match?.[1]) {`
`79`		`- return path.basename(stripQuotes(match[1].trim()));`
	`80`	`+ return stripFilenameControlChars(path.basename(stripQuotes(match[1].trim())));`
`80`	`81`	`}`
`81`	`82`	`return undefined;`
`82`	`83`	`}`