A few improvements for the save attachment workflow

Co-authored-by: Scott Nonnenberg <scott@signal.org>
This commit is contained in:
automated-signal
2026-04-13 11:56:53 -05:00
committed by GitHub
parent 6ad43c18ea
commit 75e6a77bdf
3 changed files with 22 additions and 3 deletions
+14 -2
View File
@@ -4121,7 +4121,13 @@ function saveAttachment(
return async dispatch => {
const { fileName = '' } = attachment;
const isDangerous = isFileDangerous(fileName);
const isDangerous = isFileDangerous(
fileName ||
Attachment.getSuggestedFilename({
attachment,
scenario: 'saving-locally',
})
);
if (isDangerous) {
dispatch({
@@ -4186,7 +4192,13 @@ function saveAttachments(
for (const attachment of attachments) {
const { fileName = '' } = attachment;
const isDangerous = isFileDangerous(fileName);
const isDangerous = isFileDangerous(
fileName ||
Attachment.getSuggestedFilename({
attachment,
scenario: 'saving-locally',
})
);
if (isDangerous) {
dispatch({
type: SHOW_TOAST,
@@ -49,6 +49,13 @@ describe('isFileDangerous', () => {
assert.strictEqual(isFileDangerous('install.pif\t\n\n\n '), true);
});
it('returns true for dangerous files that end in combination of . and whitespace', () => {
assert.strictEqual(isFileDangerous('run.exe . . .... '), true);
assert.strictEqual(isFileDangerous('install.pif .'), true);
assert.strictEqual(isFileDangerous('install.pif\t.\n . '), true);
assert.strictEqual(isFileDangerous('install.pif\t\n.\n\n .. .'), true);
});
it('returns false for empty filename', () => {
assert.strictEqual(isFileDangerous(''), false);
});
+1 -1
View File
@@ -2,7 +2,7 @@
// SPDX-License-Identifier: AGPL-3.0-only
const DANGEROUS_FILE_TYPES =
/\.(ADE|ADP|APK|BAT|CAB|CHM|CMD|COM|CPL|DIAGCAB|DLL|DMG|EXE|HTA|INF|INS|ISP|JAR|JS|JSE|LIB|LNK|MDE|MHT|MSC|MSI|MSP|MST|NSH|PIF|PS1|PSC1|PSM1|PSRC|REG|SCR|SCT|SETTINGCONTENT-MS|SHB|SYS|VB|VBE|VBS|VXD|WSC|WSF|WSH)(\.|\s+)?$/i;
/\.(ADE|ADP|APK|BAT|CAB|CHM|CMD|COM|CPL|DIAGCAB|DLL|DMG|EXE|HTA|INF|INS|ISP|JAR|JS|JSE|LIB|LNK|MDE|MHT|MSC|MSI|MSP|MST|NSH|PIF|PS1|PSC1|PSM1|PSRC|REG|SCR|SCT|SETTINGCONTENT-MS|SHB|SYS|VB|VBE|VBS|VXD|WSC|WSF|WSH)(\.|\s)*?$/i;
export function isFileDangerous(fileName: string): boolean {
return DANGEROUS_FILE_TYPES.test(fileName);