[PR #20315] [MERGED] Fixes #20236: Improve file naming and upload handling #15886

New Issue

adam · 2025-12-30T00:24:36+01:00

adam commented

2025-12-30 00:24:36 +01:00

📋 Pull Request Information

Original PR: https://github.com/netbox-community/netbox/pull/20315
Author: @pheus
Created: 9/10/2025
Status: ✅ Merged
Merged: 9/13/2025
Merged by: @jnovinger

Base: main ← Head: 20236-sanitize-image-attachment-name

📝 Commits (1)

615cad3 fix(extras): Improve file naming and upload handling

📊 Changes

4 files changed (+273 additions, -22 deletions)

View changed files

📝 netbox/extras/models/models.py (+4 -2)
📝 netbox/extras/tests/test_models.py (+85 -7)
📝 netbox/extras/tests/test_utils.py (+142 -1)
📝 netbox/extras/utils.py (+42 -12)

📄 Description

Fixes: #20236

Summary
Silently normalize the on‑disk filename derived from image attachments to prevent nested directories and path traversal, while preserving the user‑entered name in the database/UI unchanged.

What’s changed

In upload_to:
- Normalize browser paths (e.g. C:\fakepath\photo.jpg) and extract the real uploaded extension.
- Use the user‑entered name when present; sanitize via Django’s filename utility.
- Prefix with {object_type.model}_{object_id} and validate the final relative path with validate_file_name(..., allow_relative_path=True).
- Preserve only known image extensions (bmp, gif, jpeg, jpg, png, webp); otherwise save without an extension.
(Hardening) Guard filename parsing to avoid IndexError if older files don’t follow the expected underscore pattern.

Behavior before

Supplying slashes in the name could create subdirectories and trigger IndexError in code that assumes a fixed filename layout.

Behavior after

Files are always stored under image-attachments/ with a flat, safe basename.
The value shown/stored in the name field is not altered; only the on‑disk filename is normalized.

Notes for reviewers

This follows the maintainer guidance to silently normalize rather than reject slashes.
No user‑visible changes to the name field or forms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netbox-community/netbox/pull/20315 **Author:** [@pheus](https://github.com/pheus) **Created:** 9/10/2025 **Status:** ✅ Merged **Merged:** 9/13/2025 **Merged by:** [@jnovinger](https://github.com/jnovinger) **Base:** `main` ← **Head:** `20236-sanitize-image-attachment-name` --- ### 📝 Commits (1) - [`615cad3`](https://github.com/netbox-community/netbox/commit/615cad3fa7f82f97dc7ff1a6bd85c0a917be6bc5) fix(extras): Improve file naming and upload handling ### 📊 Changes **4 files changed** (+273 additions, -22 deletions) <details> <summary>View changed files</summary> 📝 `netbox/extras/models/models.py` (+4 -2) 📝 `netbox/extras/tests/test_models.py` (+85 -7) 📝 `netbox/extras/tests/test_utils.py` (+142 -1) 📝 `netbox/extras/utils.py` (+42 -12) </details> ### 📄 Description ### Fixes: #20236 **Summary** Silently normalize the **on‑disk filename** derived from image attachments to prevent nested directories and path traversal, while preserving the **user‑entered `name`** in the database/UI unchanged. **What’s changed** - In `upload_to`: - Normalize browser paths (e.g. `C:\fakepath\photo.jpg`) and extract the real uploaded extension. - Use the user‑entered `name` when present; sanitize via Django’s filename utility. - Prefix with `{object_type.model}_{object_id}` and validate the final relative path with `validate_file_name(..., allow_relative_path=True)`. - Preserve only known image extensions (`bmp`, `gif`, `jpeg`, `jpg`, `png`, `webp`); otherwise save without an extension. - (Hardening) Guard filename parsing to avoid `IndexError` if older files don’t follow the expected underscore pattern. **Behavior before** - Supplying slashes in the `name` could create subdirectories and trigger `IndexError` in code that assumes a fixed filename layout. **Behavior after** - Files are always stored under `image-attachments/` with a flat, safe basename. - The value shown/stored in the `name` field is **not altered**; only the on‑disk filename is normalized. **Notes for reviewers** - This follows the maintainer guidance to **silently normalize** rather than reject slashes. - No user‑visible changes to the `name` field or forms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-30 00:24:36 +01:00

adam closed this issue

2025-12-30 00:24:36 +01:00

Sign in to join this conversation.

Branches Tags

main

21142-device-component-graphql-filters

21050-device-oob-ip-may-become-orphaned

21102-fix-graphiql-explorer

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#15886