From 16982ce51f22732ac17f7c2799b9597f831b7621 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Igor=20Spasic=CC=81?= <igor.spasic@gmail.com>
Date: Thu, 29 Aug 2024 22:17:56 +0200
Subject: [PATCH] Sanitize file names for storing attachments (fixes #19)

---
 src/main/java/jodd/mail/EmailAttachmentBuilder.java |  7 ++++---
 src/main/java/jodd/mail/EmailUtil.java              |  4 ++++
 src/main/java/jodd/mail/ImapServer.java             |  3 ++-
 src/main/java/jodd/mail/Pop3Server.java             | 10 ++++++----
 src/main/java/jodd/mail/ReceivedEmail.java          |  5 +++--
 src/test/java/jodd/mail/EmailUtilTest.java          |  6 ++++++
 6 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/src/main/java/jodd/mail/EmailAttachmentBuilder.java b/src/main/java/jodd/mail/EmailAttachmentBuilder.java
index f29e6c0..a22f6ed 100644
--- a/src/main/java/jodd/mail/EmailAttachmentBuilder.java
+++ b/src/main/java/jodd/mail/EmailAttachmentBuilder.java
@@ -25,18 +25,19 @@
 
 package jodd.mail;
 
+import jakarta.activation.DataSource;
+import jakarta.activation.FileDataSource;
 import jakarta.mail.util.ByteArrayDataSource;
 import jodd.io.FileNameUtil;
 import jodd.io.FileUtil;
 import jodd.net.MimeTypes;
 
-import jakarta.activation.DataSource;
-import jakarta.activation.FileDataSource;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 
 import static jodd.mail.EmailUtil.NO_NAME;
+import static jodd.mail.EmailUtil.sanitizeFileName;
 
 /**
  * Helper class for convenient {@link EmailAttachment} creation.
@@ -229,7 +230,7 @@ public EmailAttachment<FileDataSource> buildFileDataSource(final String messageI
 			if (dataSource instanceof FileDataSource) {
 				fds = (FileDataSource) dataSource;
 			} else {
-				final File file = new File(attachmentStorage, messageId);
+				final File file = new File(attachmentStorage, sanitizeFileName(messageId));
 				FileUtil.writeStream(file, dataSource.getInputStream());
 				fds = new FileDataSource(file);
 			}
diff --git a/src/main/java/jodd/mail/EmailUtil.java b/src/main/java/jodd/mail/EmailUtil.java
index 5a27474..3d0fbbc 100644
--- a/src/main/java/jodd/mail/EmailUtil.java
+++ b/src/main/java/jodd/mail/EmailUtil.java
@@ -225,4 +225,8 @@ public static boolean isEmptyFlags(final Flags flags) {
 		return true;
 	}
 
+	public static String sanitizeFileName(final String fileName) {
+		return fileName.replaceAll("[^a-zA-Z0-9.-]", "_");
+	}
+
 }
diff --git a/src/main/java/jodd/mail/ImapServer.java b/src/main/java/jodd/mail/ImapServer.java
index e8df3a0..8ea0f59 100644
--- a/src/main/java/jodd/mail/ImapServer.java
+++ b/src/main/java/jodd/mail/ImapServer.java
@@ -92,7 +92,8 @@ public ReceiveMailSession createSession() {
 			createSessionProperties(),
 			authenticator,
 			attachmentStorage,
-				debugConsumer);
+			debugConsumer
+		);
 	}
 
 }
diff --git a/src/main/java/jodd/mail/Pop3Server.java b/src/main/java/jodd/mail/Pop3Server.java
index d487cd7..71f0609 100644
--- a/src/main/java/jodd/mail/Pop3Server.java
+++ b/src/main/java/jodd/mail/Pop3Server.java
@@ -95,10 +95,12 @@ protected Store getStore(final Session session) throws NoSuchProviderException {
 	@Override
 	public ReceiveMailSession createSession() {
 		return EmailUtil.createSession(
-				PROTOCOL_POP3,
-				createSessionProperties(),
-				authenticator,
-				attachmentStorage, debugConsumer);
+			PROTOCOL_POP3,
+			createSessionProperties(),
+			authenticator,
+			attachmentStorage,
+			debugConsumer
+		);
 	}
 
 }
diff --git a/src/main/java/jodd/mail/ReceivedEmail.java b/src/main/java/jodd/mail/ReceivedEmail.java
index d5a6adf..e114e66 100644
--- a/src/main/java/jodd/mail/ReceivedEmail.java
+++ b/src/main/java/jodd/mail/ReceivedEmail.java
@@ -44,7 +44,8 @@
 import java.util.Date;
 import java.util.List;
 
-import static jakarta.mail.Flags.*;
+import static jakarta.mail.Flags.Flag;
+import static jodd.mail.EmailUtil.sanitizeFileName;
 
 /**
  * Received email.
@@ -444,7 +445,7 @@ private ReceivedEmail addAttachment(final Part part, final InputStream content,
 		final EmailAttachmentBuilder builder = addAttachmentInfo(part);
 		builder.content(content, part.getContentType());
 		if (attachmentStorage != null) {
-			String name = messageId + "-" + (this.attachments().size() + 1);
+			final String name = sanitizeFileName(messageId) + "-" + (this.attachments().size() + 1);
 			return storeAttachment(builder.buildFileDataSource(name, attachmentStorage));
 		}
 		return storeAttachment(builder.buildByteArrayDataSource());
diff --git a/src/test/java/jodd/mail/EmailUtilTest.java b/src/test/java/jodd/mail/EmailUtilTest.java
index 49141ab..e78f61b 100644
--- a/src/test/java/jodd/mail/EmailUtilTest.java
+++ b/src/test/java/jodd/mail/EmailUtilTest.java
@@ -86,4 +86,10 @@ void testIsEmptyFlags() {
 		assertTrue(EmailUtil.isEmptyFlags(flags));
 	}
 
+	@Test
+	void testSanitizeFileName() {
+		assertEquals("file.txt", EmailUtil.sanitizeFileName("file.txt"));
+		assertEquals("_6d0455f09ad249c897c0aa28a7ee3579_domain_", EmailUtil.sanitizeFileName("<6d0455f09ad249c897c0aa28a7ee3579@domain>"));
+	}
+
 }