From e6aa8fa74449b08784e9e4938c4f81dfd7cb651f Mon Sep 17 00:00:00 2001
From: Sebastion <sebastion@sebastion.dev>
Date: Sun, 24 May 2026 14:17:04 +0100
Subject: [PATCH] fix: sanitize originalname in decryptpdf multer storage to
 prevent path traversal (CWE-22)

---
 apps/OpenSignServer/cloud/customRoute/decryptpdf.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/OpenSignServer/cloud/customRoute/decryptpdf.js b/apps/OpenSignServer/cloud/customRoute/decryptpdf.js
index f8aa99c374..fa9f9b96f8 100644
--- a/apps/OpenSignServer/cloud/customRoute/decryptpdf.js
+++ b/apps/OpenSignServer/cloud/customRoute/decryptpdf.js
@@ -1,4 +1,5 @@
 import fs from 'node:fs';
+import path from 'node:path';
 import multer from 'multer';
 import Coherentpdf from 'coherentpdf';
 
@@ -7,7 +8,7 @@ const storage = multer.diskStorage({
     cb(null, 'exports');
   },
   filename(req, file, cb) {
-    cb(null, file.originalname);
+    cb(null, path.basename(file.originalname));
   },
 });