Sanitize the filename.

CenturyLinkLabs · Apr 28, 2015 · f02c85d · f02c85d
1 parent c5fff84
commit f02c85d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/app/controllers/deployment_targets_controller.rb b/app/controllers/deployment_targets_controller.rb
@@ -32,12 +32,16 @@ def destroy
   def token
     target = DeploymentTarget.find(params[:id])
     send_data target.auth_blob,
-      filename: "#{target.name}.txt",
+      filename: "#{sanitize_filename(target.name)}.txt",
       type: 'text/plain'
   end
 
   private
 
+  def sanitize_filename(name)
+    name.gsub!(/[^0-9A-Za-z.\-]/, '_')
+  end
+
   def hydrate_index_view
     @deployment_targets = DeploymentTarget.all
     @job_templates_by_vendor = JobTemplate.all.group_by(&:vendor)

diff --git a/spec/controllers/deployment_targets_controller_spec.rb b/spec/controllers/deployment_targets_controller_spec.rb
@@ -16,15 +16,15 @@
   end
 
   describe 'GET #token' do
-    let(:fake_target) { double(:fake_target, auth_blob: 'blob', name: 'pro') }
+    let(:fake_target) { double(:fake_target, auth_blob: 'blob', name: 'prod! targ^0') }
     before do
       allow(DeploymentTarget).to receive(:find).with('7').and_return(fake_target)
     end
 
     it 'sends a file of the token' do
       expect(controller).to receive(:send_data).with(
         'blob',
-        filename: 'pro.txt',
+        filename: 'prod__targ_0.txt',
         type: 'text/plain'
       )
       get :token, id: 7