From e7e5121700b832b2673b957d92dc0111959ff32f Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Mon, 4 Mar 2024 16:38:47 -0600
Subject: [PATCH] fix for api calls with square bracket filenames

---
 app/api.rb               | 20 ++++++++++++++------
 tests/api_tests.rb       |  9 +++++++++
 tests/site_file_tests.rb |  8 +++++++-
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/app/api.rb b/app/api.rb
index 4eb04b62..8009a91e 100644
--- a/app/api.rb
+++ b/app/api.rb
@@ -41,15 +41,23 @@ get '/api/list' do
   api_success files: files
 end
 
+def extract_files(params, files = [])
+  params.each do |key, value|
+    # If the value is a Hash and contains a :tempfile key, it's considered an uploaded file.
+    if value.is_a?(Hash) && value.has_key?(:tempfile) && !value[:tempfile].nil?
+      files << {filename: value[:name], tempfile: value[:tempfile]}
+    elsif value.is_a?(Hash) || value.is_a?(Array)
+      # If the value is a Hash or Array, recursively search for more files.
+      extract_files(value, files)
+    end
+  end
+  files
+end
+
 post '/api/upload' do
   require_api_credentials
 
-  files = []
-  params.each do |k,v|
-    next unless v.is_a?(Hash) && v[:tempfile]
-    path = k.to_s
-    files << {filename: k || v[:filename], tempfile: v[:tempfile]}
-  end
+  files = extract_files params
 
   api_error 400, 'missing_files', 'you must provide files to upload' if files.empty?
 
diff --git a/tests/api_tests.rb b/tests/api_tests.rb
index 96feec60..af302ee1 100644
--- a/tests/api_tests.rb
+++ b/tests/api_tests.rb
@@ -308,6 +308,15 @@ describe 'api' do
       _(site_file_exists?('test.jpg')).must_equal true
     end
 
+    it 'succeeds with square bracket in filename' do
+      create_site
+      @site.generate_api_key!
+      header 'Authorization', "Bearer #{@site.api_key}"
+      post '/api/upload', 'te[s]t.jpg' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+      _(res[:result]).must_equal 'success'
+      _(site_file_exists?('te[s]t.jpg')).must_equal true
+    end
+
     it 'succeeds with valid user session' do
       create_site
       post '/api/upload',
diff --git a/tests/site_file_tests.rb b/tests/site_file_tests.rb
index e2f5b916..b450ec7f 100644
--- a/tests/site_file_tests.rb
+++ b/tests/site_file_tests.rb
@@ -53,7 +53,6 @@ describe 'site_files' do
       _(PurgeCacheWorker.jobs.collect {|p| p['args'].last}.sort).must_equal ["/notindex", "/notindex2"]
     end
 
-
     it 'renames in same path' do
       uploaded_file = Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
       upload 'files[]' => uploaded_file
@@ -433,6 +432,13 @@ describe 'site_files' do
       _(@site.site_changed).must_equal false
     end
 
+    it 'works with square bracket filename' do
+      uploaded_file = Rack::Test::UploadedFile.new('./tests/files/te[s]t.jpg', 'image/jpeg')
+      upload 'files[]' => uploaded_file
+      _(last_response.body).must_match /successfully uploaded/i
+      _(File.exists?(@site.files_path('te[s]t.jpg'))).must_equal true
+    end
+
     it 'sets site changed to false if index is empty' do
       uploaded_file = Rack::Test::UploadedFile.new('./tests/files/blankindex/index.html', 'text/html')
       upload 'files[]' => uploaded_file