To fix the problem, we need to validate and sanitize the user input before using it to construct a file path. We can use the ActiveStorage::Filename#sanitized method in Rails to ensure that the file name is safe to use. This method will remove any potentially dangerous characters from the file name.
In the EventsController, sanitize the params[:file] before passing it to the CsvExhibitImport service.
Update the CsvExhibitImport service to handle the sanitized file name.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Fixes https://github.com/thoherr/brickevent/security/code-scanning/8
To fix the problem, we need to validate and sanitize the user input before using it to construct a file path. We can use the
ActiveStorage::Filename#sanitized
method in Rails to ensure that the file name is safe to use. This method will remove any potentially dangerous characters from the file name.EventsController
, sanitize theparams[:file]
before passing it to theCsvExhibitImport
service.CsvExhibitImport
service to handle the sanitized file name.Suggested fixes powered by Copilot Autofix. Review carefully before merging.