fix #345

internal/app/middleware.go

@@ -46,7 +46,7 @@ func (app *App) authMiddleware() gin.HandlerFunc {
 			c.Set(syncVersionKey, common.Sync10)
 		}
 
-		uid := common.Sanitize(strings.TrimPrefix(claims.Profile.UserID, "auth0|"))
+		uid := common.SanitizeUid(strings.TrimPrefix(claims.Profile.UserID, "auth0|"))
 		c.Set(userIDKey, uid)
 		c.Set(deviceIDKey, claims.DeviceID)
 		log.Infof("%s UserId: %s deviceId: %s newSync: %t", authLog, uid, claims.DeviceID, isSync15)

internal/common/common.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"hash/crc32"
 	"io"
+	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -55,6 +56,11 @@ func Sanitize(param string) string {
 	return nameSeparators.ReplaceAllString(param, "")
 }
 
+// SanitizeUid
+func SanitizeUid(uid string) string {
+	return filepath.Clean(filepath.Base(uid))
+}
+
 // QueryS sanitize the param
 func QueryS(param string, c *gin.Context) string {
 	p := c.Query(param)

internal/storage/fs/documents.go

@@ -37,7 +37,7 @@ func sanitizeFileName(fileName string) string {
 }
 
 func (fs *FileSystemStorage) getUserPath(uid string) string {
-	return filepath.Join(fs.Cfg.DataDir, filepath.Base(userDir), sanitizeFileName(uid))
+	return filepath.Join(fs.Cfg.DataDir, filepath.Base(userDir), common.SanitizeUid(uid))
 }
 
 // gets the blobstorage path

internal/ui/middleware.go

@@ -65,7 +65,7 @@ func (app *ReactAppWrapper) authMiddleware() gin.HandlerFunc {
 			}
 		}
 
-		uid := common.Sanitize(claims.UserID)
+		uid := common.SanitizeUid(claims.UserID)
 		c.Set(userIDContextKey, uid)
 
 		brid := claims.BrowserID