[BUG] File uploads with name as path fixed

[knrt10]

Closes #12723

When file was being uploaded, problem was

fileUrl = `/file-upload/${ file._id }/${ encodeURI(file.name) }`;

was taking file name too. And when router was listening to

WebApp.connectHandlers.use('/file-upload/', then path type file names like ../, .., ../../bla etc were not rendered, which was a problem, as only fileID was needed so fileName is removed from fileUrl

[knrt10]

@tassoevan @ggazzo would you please review

[lorek123]

Why are you even trying to accept filenames with ../? This will introduce path traversal vulnerability if not correctly handled.

[knrt10]

@lorek123 exactly. This PR solves that problem

[sampaiodiego]

I personally like having the file name on the download URL, don't you? it helps when sharing links..

I would the fix the file name (removing unwanted characters) in this case, instead of removing it from the URL.. what do you think?

[knrt10]

Hmm, let me try it that way.

[knrt10]

@sampaiodiego updated with file name in URL. Working now

[knrt10]

Also, I had to install path on both server and client because meteor-node-stubs was not working. It was not able to require path package on the client side

[knrt10]

@MarcosSpessatto updated the PR.

[rodrigok]

IMHO we should always use the file.name for the path, but then we should prevent filenames to be saved with path sections, almost like this solution but then we don't need to transform it at the client side and prevent adding this really old path library as well.