From d582d40ab80d1af5063fd51401fcdb359ea34c92 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Wed, 13 Aug 2025 09:23:53 -0400
Subject: [PATCH] feat: add header value sanitization for S3 metadata

- Implemented `sanitizeHeaderValue` method to clean file names for S3 user metadata, ensuring compliance with ASCII requirements and removing control characters.
- Updated the attachment service to utilize the new sanitization method when setting the original file name in metadata.
---
 apps/api/src/attachments/attachments.service.ts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/attachments/attachments.service.ts b/apps/api/src/attachments/attachments.service.ts
index ee24d917b..599497590 100644
--- a/apps/api/src/attachments/attachments.service.ts
+++ b/apps/api/src/attachments/attachments.service.ts
@@ -67,7 +67,8 @@ export class AttachmentsService {
         Body: fileBuffer,
         ContentType: uploadDto.fileType,
         Metadata: {
-          originalFileName: uploadDto.fileName,
+          // S3 metadata becomes HTTP headers (x-amz-meta-*) and must be ASCII without control chars
+          originalFileName: this.sanitizeHeaderValue(uploadDto.fileName),
           organizationId,
           entityId,
           entityType,
@@ -273,6 +274,18 @@ export class AttachmentsService {
     return fileName.replace(/[^a-zA-Z0-9.-]/g, '_');
   }
 
+  /**
+   * Sanitize header value for S3 user metadata (x-amz-meta-*) to avoid invalid characters
+   * - Remove control characters (\x00-\x1F, \x7F)
+   * - Replace non-ASCII with '_'
+   * - Trim whitespace
+   */
+  private sanitizeHeaderValue(value: string): string {
+    const withoutControls = value.replace(/[\x00-\x1F\x7F]/g, '');
+    const asciiOnly = withoutControls.replace(/[^\x20-\x7E]/g, '_');
+    return asciiOnly.trim();
+  }
+
   /**
    * Map MIME type to AttachmentType enum
    */