Sanitize audio filename before forwarding to ElevenLabs API

[anshul23102]

Sanitize audio filename before forwarding to ElevenLabs API

Sanitizes the audio filename extracted from upload to prevent path traversal and injection attacks when forwarding to ElevenLabs API.

Changes

• Added filename sanitization in server/controllers/voiceController.js
• Removes path separators and special characters from filenames
• Ensures safe filename forwarding to external API
• Validation of filename format before use

Key Features

• Path traversal prevention
• Special character filtering
• Safe default filename generation
• Detailed error logging

Test Plan

• Upload file with normal filename - should work
• Upload file with path separators in name - should be sanitized
• Upload file with special characters - should be handled safely
• Verify filename sanitization in API requests

Fixes #69

🤖 Generated with Claude Code

[anshul23102]

Could the maintainers please add relevant labels? Suggested: type:security, severity:medium, area:api, nsoc

[vercel]

@anshul23102 is attempting to deploy a commit to the itzzavdhesh's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds filename sanitization to the cloneVoice handler in VoiceForge. A new sanitizeFilename() helper removes path traversal sequences, restricts characters to alphanumeric, dot, hyphen, and underscore, and truncates long filenames. The handler now applies this sanitization to user-supplied audio filenames before sending them to ElevenLabs.

Changes

Filename Sanitization for ElevenLabs Integration

Layer / File(s)	Summary
Sanitized filename handling in cloneVoice server/controllers/voiceController.js	Added sanitizeFilename() helper that normalizes and truncates user-supplied filenames by replacing disallowed characters and suspicious patterns. Updated cloneVoice to apply sanitization to audioFile.originalname before inclusion in FormData for ElevenLabs multipart upload.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly Related Issues

• #69: [BUG] cloneVoice forwards audioFile.originalname to ElevenLabs without sanitizing path traversal characters — This PR directly implements the exact fix specified in the issue: sanitizing the user-supplied filename via sanitizeFilename() before use in FormData.

Poem

🐰 A crafted filename tried to roam,
Path traversal, not at home!
Sanitize, restrict, truncate true—
ElevenLabs now receives what's due. 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: sanitizing audio filenames before sending to ElevenLabs API.
Linked Issues check	✅ Passed	The PR fully addresses issue #69 requirements: it sanitizes filenames using a helper function, restricts characters to [A-Za-z0-9._-], prevents consecutive dots, truncates to 100 characters, and uses the sanitized filename in FormData for ElevenLabs.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #69: adding sanitizeFilename() helper and applying it to the cloneVoice handler's file upload. No unrelated modifications are present.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

DCO Sign-off Needed

Hi @anshul23102, this PR is missing a valid Signed-off-by: line on one or more commits.

The DCO sign-off confirms that you have the right to submit this contribution.

Commits To Fix

• 792d5c6 - Sanitize audio filename before forwarding to ElevenLabs (Issue [BUG] cloneVoice forwards audioFile.originalname to ElevenLabs without sanitizing path traversal characters #69)

Fix The Most Recent Commit

git commit --amend --signoff
git push --force-with-lease

Fix Multiple Commits

Replace N with the number of commits that need sign-off:

git rebase --signoff HEAD~N
git push --force-with-lease

After you push the signed commits, this comment will update automatically.

VoiceForge automation

[github-actions]

PR Needs A Quick Update

Hi @anshul23102, thank you for opening this PR.

The PR is close, but a few validation checks need attention before it can enter mentor review.

Items To Fix

• Select a program PR template: GSSoC, NSOC, SSOC, or ELUSOC.
• Use the mandatory VoiceForge PR template and keep all required sections.
• Use a Conventional Commits PR title, for example feat: add voice preview.

Update Guide

Area	Correction
PR template	Use one complete program PR template and keep all required sections.
PR title	Use Conventional Commits, for example fix: update onboarding progress bar.
Program	Choose exactly one program: GSSoC, NSOC, SSOC, or ELUSOC.

Label Summary

Category	Label(s)
Detected	size/xs, server, needs-template, needs-title
Blockers	needs-template, needs-title

What Happens Next

Update the PR title or description, then let the workflow run again. Once these blockers are clear, the correct program mentor(s) will be requested for review.

VoiceForge automation

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[itzzavdhesh]

Hi @anshul23102 , please use the correct template only then your PR or issue will be reviewed

issue template : https://github.com/itzzavdhesh/VoiceForge/tree/main/.github/ISSUE_TEMPLATE

PR template : https://github.com/itzzavdhesh/VoiceForge/tree/main/.github/PULL_REQUEST_TEMPLATE

[anshul23102]

Closing this as a duplicate of #79, which targets the same issue and already has maintainer review history. Consolidating to a single PR per issue to keep the queue clean. All further work will continue on #79.