MM-64658 Fix handling of upload sessions (#32141)

* MM-64658 Fix handling of upload sessions

* Fix style issue

server/channels/api4/upload.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"mime/multipart"
 	"net/http"
+	"path/filepath"
 
 	"github.com/mattermost/mattermost/server/public/model"
 	"github.com/mattermost/mattermost/server/public/shared/mlog"
@@ -39,6 +40,8 @@ func createUpload(c *Context, w http.ResponseWriter, r *http.Request) {
 	us.RemoteId = ""
 	us.ReqFileId = ""
 
+	us.Filename = filepath.Base(us.Filename)
+
 	auditRec := c.MakeAuditRecord("createUpload", model.AuditStatusFail)
 	defer c.LogAuditRec(auditRec)
 	model.AddEventParameterAuditableToAuditRec(auditRec, "upload", &us)

server/channels/api4/upload_test.go

@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"io"
 	"mime/multipart"
 	"net/http"
@@ -117,6 +118,36 @@ func TestCreateUpload(t *testing.T) {
 			require.NotEmpty(t, u)
 		})
 	})
+
+	t.Run("should clean filename", func(t *testing.T) {
+		us := &model.UploadSession{
+			ChannelId: th.BasicChannel.Id,
+			Filename:  "../../../image.png",
+			FileSize:  8 * 1024 * 1024,
+		}
+
+		u, resp, err := th.Client.CreateUpload(context.Background(), us)
+		require.NoError(t, err)
+		require.NotEmpty(t, u)
+		require.Equal(t, http.StatusCreated, resp.StatusCode)
+
+		require.Equal(t, "image.png", u.Filename)
+
+		rus, appErr := th.App.GetUploadSession(th.Context, u.Id)
+		require.Nil(t, appErr)
+		require.Equal(t, "image.png", rus.Filename)
+		require.Equal(
+			t,
+			fmt.Sprintf(
+				"%s/teams/noteam/channels/%s/users/%s/%s/image.png",
+				model.GetTimeForMillis(u.CreateAt).Format("20060102"),
+				u.ChannelId,
+				u.UserId,
+				u.Id,
+			),
+			rus.Path,
+		)
+	})
 }
 
 func TestGetUpload(t *testing.T) {