From 6df0f5e6df390ae054b2f083a0da99faa227e119 Mon Sep 17 00:00:00 2001 From: Afonso Coutinho Date: Wed, 3 Jun 2026 00:35:47 +0100 Subject: [PATCH] fix: _sanitize_export_filename crashes on a non-string session name (#1607) --- routes/session_routes.py | 2 +- tests/test_session_export_filename.py | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 tests/test_session_export_filename.py diff --git a/routes/session_routes.py b/routes/session_routes.py index 546b737..9b84334 100644 --- a/routes/session_routes.py +++ b/routes/session_routes.py @@ -16,7 +16,7 @@ from src.auth_helpers import get_current_user, effective_user def _sanitize_export_filename(name: str) -> str: """Return a conservative filename safe for Content-Disposition.""" - name = name or "" + name = name if isinstance(name, str) else "" name = re.sub(r"[^A-Za-z0-9._-]", "_", name) return name[:128] diff --git a/tests/test_session_export_filename.py b/tests/test_session_export_filename.py new file mode 100644 index 0000000..a0d96a6 --- /dev/null +++ b/tests/test_session_export_filename.py @@ -0,0 +1,15 @@ +"""Regression: _sanitize_export_filename must tolerate a non-string name. + +It did `name = name or ""` then `re.sub(..., name)`. A non-string name (e.g. an +int session name) is truthy, so re.sub raised TypeError. Coerce non-strings. +""" +from routes.session_routes import _sanitize_export_filename + + +def test_non_string_name_does_not_crash(): + assert _sanitize_export_filename(12345) == "" + assert _sanitize_export_filename(None) == "" + + +def test_valid_name_sanitized(): + assert _sanitize_export_filename("a/b?c.txt") == "a_b_c.txt"