fix(UI): validate E2EE file names

src/libsync/foldermetadata.cpp

@@ -1,3 +1,3 @@
 /*
  * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: GPL-2.0-or-later
@@ -9,6 +9,7 @@
 #include "clientsideencryption.h"
 #include "clientsideencryptionjobs.h"
 #include <common/checksums.h>
+#include <QDir>
 #include <QJsonArray>
 #include <QJsonDocument>
 #include <QSslCertificate>
@@ -49,12 +50,33 @@
 }
 }
 
+bool FolderMetadata::isOriginalFilenameValid(const QString &originalFilename)
+{
+    if (originalFilename.isEmpty()) {
+        return false;
+    }
+
+    if (originalFilename == QStringLiteral(".")
+        || originalFilename == QStringLiteral("..")) {
+        return false;
+    }
+
+    if (originalFilename.contains(QLatin1Char('/'))
+        || originalFilename.contains(QLatin1Char('\\'))
+        || originalFilename.contains(QChar(0))) {
+        return false;
+    }
+
+    const auto slashPrefixedName = QStringLiteral("/") + originalFilename;
+    return QDir::cleanPath(slashPrefixedName) == slashPrefixedName;
+}
+
 bool FolderMetadata::EncryptedFile::isDirectory() const
 {
     return mimetype.isEmpty() || mimetype == QByteArrayLiteral("inode/directory") || mimetype == QByteArrayLiteral("httpd/unix-directory");
 }
 
 FolderMetadata::FolderMetadata(AccountPtr account, const QString &remoteFolderRoot, FolderType folderType) :
     _account(account),
     _remoteFolderRoot(Utility::noLeadingSlashPath(Utility::noTrailingSlashPath(remoteFolderRoot))),
     _isRootEncryptedFolder(folderType == FolderType::Root)
@@ -63,12 +85,12 @@
     initEmptyMetadata();
 }
 
 FolderMetadata::FolderMetadata(AccountPtr account,
                                const QString &remoteFolderRoot,
                                const QByteArray &metadata,
                                const RootEncryptedFolderInfo &rootEncryptedFolderInfo,
                                const QByteArray &signature,
                                QObject *parent)
     : QObject(parent)
     , _account(account)
     , _remoteFolderRoot(Utility::noLeadingSlashPath(Utility::noTrailingSlashPath(remoteFolderRoot)))
@@ -119,6 +141,11 @@
         _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
         return;
     }
+    if (_existingMetadataVersion < MetadataVersion::Version2_0 && !_initialSignature.isEmpty()) {
+        qCWarning(lcCseMetadata()) << "Could not setup legacy metadata with a V2 signature.";
+        _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
+        return;
+    }
     if (_existingMetadataVersion < MetadataVersion::Version2_0) {
         setupExistingMetadataLegacy(metadata);
         return;
@@ -155,8 +182,8 @@
         folderUser.certificatePem = folderUserObject.value(usersCertificateKey).toString().toUtf8();
         folderUser.encryptedMetadataKey = folderUserObject.value(usersEncryptedMetadataKey).toString().toUtf8();
         _folderUsers[userId] = folderUser;
     }
 
     if (_isRootEncryptedFolder && !_initialSignature.isEmpty()) {
         const auto metadataForSignature = prepareMetadataForSignature(metaDataDoc);
 
@@ -226,7 +253,7 @@
             _keyChecksums.insert(keyChecksum);
         }
     }
 
     if (!verifyMetadataKey(binaryMetadataKeyForDecryption())) {
         qCWarning(lcCseMetadata()) << "Could not verify metadataKey!";
         _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
@@ -243,7 +270,7 @@
         // What does that mean? We store the counter in metadata, should we now store it in local database as we do for all file records in SyncJournal?
         // What if metadata was not updated for a while? The counter will then not be greater than locally stored (in SyncJournal DB?)
         _counter = counterVariantFromJson.value<quint64>();
     }
 
     for (auto it = files.constBegin(), end = files.constEnd(); it != end; ++it) {
         const auto parsedEncryptedFile = parseEncryptedFileFromJson(it.key(), it.value());
@@ -254,12 +281,20 @@
 
     for (auto it = folders.constBegin(); it != folders.constEnd(); ++it) {
         const auto folderName = it.value().toString();
-        if (!folderName.isEmpty()) {
-            EncryptedFile file;
-            file.encryptedFilename = it.key();
-            file.originalFilename = folderName;
-            _files.push_back(file);
+        if (folderName.isEmpty()) {
+            continue;
+        }
+
+        if (!isOriginalFilenameValid(folderName)) {
+            qCWarning(lcCseMetadata()) << "skipping encrypted folder" << it.key() << "metadata has an invalid file name";
+            _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
+            continue;
         }
+
+        EncryptedFile file;
+        file.encryptedFilename = it.key();
+        file.originalFilename = folderName;
+        _files.push_back(file);
     }
     _isMetadataValid = true;
 }
@@ -269,7 +304,7 @@
     const auto doc = QJsonDocument::fromJson(metadata);
     qCDebug(lcCseMetadata()) << "Setting up legacy existing metadata version" << _existingMetadataVersion << doc.toJson(QJsonDocument::Compact);
 
     const auto &metaDataStr = metadataStringFromOCsDocument(doc);
     const auto &metaDataDoc = QJsonDocument::fromJson(metaDataStr.toLocal8Bit());
     const auto &metaDataObj = metaDataDoc.object();
     const auto &fullMetaDataObj = metaDataObj[metadataJsonKey].toObject();
@@ -283,7 +318,7 @@
         const auto decryptedMetadataKeyBase64 = decryptDataWithPrivateKey(metadataKeyFromJson, _account->e2e()->certificateSha256Fingerprint());
         if (!decryptedMetadataKeyBase64.isEmpty()) {
             // fromBase64() multiple times just to stick with the old wrong way
             _binaryMetadataKeyForDecryption = QByteArray::fromBase64(QByteArray::fromBase64(QByteArray::fromBase64(decryptedMetadataKeyBase64)));
         }
     }
 
@@ -308,8 +343,8 @@
                     _binaryMetadataKeyForDecryption = QByteArray::fromBase64(QByteArray::fromBase64(lastMetadataKeyValueFromJsonBase64));
                 }
             }
         }
     }
 
     if (binaryMetadataKeyForDecryption().isEmpty()) {
         qCWarning(lcCseMetadata()) << "Could not setup existing metadata with missing metadataKeys!";
@@ -344,12 +379,19 @@
 
         const auto decryptedFileObj = decryptedFileDoc.object();
 
-        if (decryptedFileObj["filename"].toString().isEmpty()) {
+        const auto originalFilename = decryptedFileObj["filename"].toString();
+        if (originalFilename.isEmpty()) {
             qCWarning(lcCseMetadata) << "decrypted metadata" << decryptedFileDoc.toJson(QJsonDocument::Compact) << "skipping encrypted file" << file.encryptedFilename << "metadata has an empty file name";
             continue;
         }
 
-        file.originalFilename = decryptedFileObj["filename"].toString();
+        if (!isOriginalFilenameValid(originalFilename)) {
+            qCWarning(lcCseMetadata) << "skipping encrypted file" << file.encryptedFilename << "metadata has an invalid file name";
+            _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
+            continue;
+        }
+
+        file.originalFilename = originalFilename;
         file.encryptionKey = QByteArray::fromBase64(decryptedFileObj["key"].toString().toLocal8Bit());
         file.mimetype = decryptedFileObj["mimetype"].toString().toLocal8Bit();
 
@@ -489,9 +531,9 @@
     });
     for (const auto &singleFile : sortedFiles) {
         hashAlgorithm.addData(singleFile.encryptedFilename.toUtf8());
     }
     hashAlgorithm.addData(metadataKey);
 
     return hashAlgorithm.result().toHex();
 }
 
@@ -503,10 +545,17 @@
 FolderMetadata::EncryptedFile FolderMetadata::parseEncryptedFileFromJson(const QString &encryptedFilename, const QJsonValue &fileJSON) const
 {
     const auto fileObj = fileJSON.toObject();
-    if (fileObj["filename"].toString().isEmpty()) {
+    const auto originalFilename = fileObj["filename"].toString();
+    if (originalFilename.isEmpty()) {
         qCWarning(lcCseMetadata()) << "skipping encrypted file" << encryptedFilename << "metadata has an empty file name";
         return {};
     }
+
+    if (!isOriginalFilenameValid(originalFilename)) {
+        qCWarning(lcCseMetadata()) << "skipping encrypted file" << encryptedFilename << "metadata has an invalid file name";
+        _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
+        return {};
+    }
 
     EncryptedFile file;
     file.encryptedFilename = encryptedFilename;
@@ -516,7 +565,7 @@
         nonce = QByteArray::fromBase64(fileObj[nonceKey].toString().toLocal8Bit());
     }
     file.initializationVector = nonce;
-    file.originalFilename = fileObj["filename"].toString();
+    file.originalFilename = originalFilename;
     file.encryptionKey = QByteArray::fromBase64(fileObj["key"].toString().toLocal8Bit());
     file.mimetype = fileObj["mimetype"].toString().toLocal8Bit();
 
@@ -530,6 +579,11 @@
 
 QJsonObject FolderMetadata::convertFileToJsonObject(const EncryptedFile *encryptedFile) const
 {
+    if (!encryptedFile || !isOriginalFilenameValid(encryptedFile->originalFilename)) {
+        qCWarning(lcCseMetadata()) << "Metadata generation failed. Invalid original file name.";
+        return {};
+    }
+
     QJsonObject file;
     file.insert("key", QString(encryptedFile->encryptionKey.toBase64()));
     file.insert("filename", encryptedFile->originalFilename);
@@ -548,7 +602,7 @@
     return _binaryMetadataKeyForEncryption;
 }
 
 const QSet<QByteArray>& FolderMetadata::keyChecksums() const
 {
     return _keyChecksums;
 }
@@ -590,7 +644,7 @@
     Q_ASSERT(_isMetadataValid);
     if (!_isMetadataValid) {
         qCWarning(lcCseMetadata()) << "Could not encrypt non-initialized metadata!";
         return {};
     }
 
     if (latestSupportedMetadataVersion() < MetadataVersion::Version2_0) {
@@ -622,9 +676,9 @@
         const auto file = convertFileToJsonObject(&(*it));
         if (file.isEmpty()) {
             qCWarning(lcCseMetadata) << "Metadata generation failed for file" << it->encryptedFilename;
             return {};
         }
         const auto isDirectory =
             it->mimetype.isEmpty() || it->mimetype == QByteArrayLiteral("inode/directory") || it->mimetype == QByteArrayLiteral("httpd/unix-directory");
         if (isDirectory) {
             folders.insert(it->encryptedFilename, it->originalFilename);
@@ -640,7 +694,7 @@
         }
     }
 
     QJsonObject cipherText = {{counterKey, QJsonValue::fromVariant(newCounter())}, {filesKey, files}, {foldersKey, folders}};
 
     const auto isChecksumsArrayValid = (!_isRootEncryptedFolder && keyChecksums.isEmpty()) || (_isRootEncryptedFolder && !keyChecksums.isEmpty());
     Q_ASSERT(isChecksumsArrayValid);
@@ -723,6 +777,12 @@
 
     QJsonObject files;
     for (auto it = _files.constBegin(), end = _files.constEnd(); it != end; ++it) {
+        if (!isOriginalFilenameValid(it->originalFilename)) {
+            qCWarning(lcCseMetadata) << "Metadata generation failed. Invalid original file name for encrypted file" << it->encryptedFilename;
+            _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
+            return {};
+        }
+
         QJsonObject encrypted;
         encrypted.insert("key", QString(it->encryptionKey.toBase64()));
         encrypted.insert("filename", it->originalFilename);
@@ -735,7 +795,7 @@
             qCWarning(lcCseMetadata) << "Metadata generation failed!";
             _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
         }
         QJsonObject file;
         file.insert(encryptedKey, encryptedEncrypted);
         file.insert(initializationVectorKey, QString(it->initializationVector.toBase64()));
         file.insert(authenticationTagKey, QString(it->authenticationTag.toBase64()));
@@ -749,7 +809,7 @@
     }
 
     auto metaObject = QJsonObject{
         {metadataJsonKey, metadata},
     };
 
     if (files.count()) {
@@ -772,12 +832,12 @@
     return FolderMetadata::fromMedataVersionToItemEncryptionStatus(_existingMetadataVersion);
 }
 
 EncryptionStatusEnums::ItemEncryptionStatus FolderMetadata::encryptedMetadataEncryptionStatus() const
 {
     return FolderMetadata::fromMedataVersionToItemEncryptionStatus(_encryptedMetadataVersion);
 }
 
 bool FolderMetadata::isVersion2AndUp() const
 {
     return _existingMetadataVersion >= MetadataVersion::Version2_0;
 }
@@ -814,7 +874,7 @@
                     _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
                     return false;
                 }
                 fileDropEntry.currentUser = fileDropEntryUser;
                 break;
             }
         }
@@ -864,9 +924,9 @@
     switch (metadataVersion) {
     case FolderMetadata::MetadataVersion::Version2_1:
     case FolderMetadata::MetadataVersion::Version2_0:
         return SyncFileItem::EncryptionStatus::EncryptedMigratedV2_0;
     case FolderMetadata::MetadataVersion::Version1_2:
         return SyncFileItem::EncryptionStatus::EncryptedMigratedV1_2;
     case FolderMetadata::MetadataVersion::Version1:
         return SyncFileItem::EncryptionStatus::Encrypted;
     case FolderMetadata::MetadataVersion::VersionUndefined:
@@ -882,7 +942,7 @@
         return MetadataVersion::Version1;
     case EncryptionStatusEnums::ItemEncryptionStatus::EncryptedMigratedV1_2:
         return MetadataVersion::Version1_2;
     case EncryptionStatusEnums::ItemEncryptionStatus::EncryptedMigratedV2_0:
         return MetadataVersion::Version2_0;
     case EncryptionStatusEnums::ItemEncryptionStatus::NotEncrypted:
         return MetadataVersion::VersionUndefined;
@@ -914,11 +974,17 @@
     return metdataModified.toJson(QJsonDocument::Compact);
 }
 
-void FolderMetadata::addEncryptedFile(const EncryptedFile &f) {
+bool FolderMetadata::addEncryptedFile(const EncryptedFile &f) {
     Q_ASSERT(_isMetadataValid);
     if (!_isMetadataValid) {
         qCWarning(lcCseMetadata()) << "Could not add encrypted file to non-initialized metadata!";
-        return;
+        return false;
+    }
+
+    if (!isOriginalFilenameValid(f.originalFilename)) {
+        qCWarning(lcCseMetadata()) << "Could not add encrypted file with invalid original file name.";
+        _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
+        return false;
     }
 
     for (int i = 0; i < _files.size(); ++i) {
@@ -929,6 +995,7 @@
     }
 
     _files.append(f);
+    return true;
 }
 
 const QByteArray FolderMetadata::binaryMetadataKeyForDecryption() const
@@ -936,7 +1003,7 @@
     return _binaryMetadataKeyForDecryption;
 }
 
 void FolderMetadata::removeEncryptedFile(const EncryptedFile &f)
 {
     for (int i = 0; i < _files.size(); ++i) {
         if (_files.at(i).originalFilename == f.originalFilename) {
@@ -1001,7 +1068,9 @@
             _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
             return false;
         }
-        addEncryptedFile(parsedEncryptedFile);
+        if (!addEncryptedFile(parsedEncryptedFile)) {
+            return false;
+        }
     }
 
     _fileDropEntries.clear();
@@ -1027,9 +1096,9 @@
     Q_UNUSED(message);
     if (statusCode != 200) {
         qCWarning(lcCseMetadata()) << "Could not fetch root folder metadata" << statusCode << message;
         _account->reportClientStatus(OCC::ClientStatusReportingStatus::E2EeError_GeneralError);
     }
     const auto rootE2eeFolderMetadata = _encryptedFolderMetadataHandler->folderMetadata();
     if (statusCode != 200 || !rootE2eeFolderMetadata->isValid() || !rootE2eeFolderMetadata->isVersion2AndUp()) {
         initMetadata();
         return;
@@ -1055,7 +1124,7 @@
     Q_ASSERT(_isRootEncryptedFolder);
     Q_ASSERT(!certificate.isNull());
     if (!_isRootEncryptedFolder) {
         qCWarning(lcCseMetadata()) << "Could not add a folder user to a non top level folder.";
         return false;
     }
 
@@ -1065,7 +1134,7 @@
     case CertificateType::HardwareCertificate:
         convertedCertificateType = CertificateInformation::CertificateType::HardwareCertificate;
         break;
     case CertificateType::SoftwareNextcloudCertificate:
         convertedCertificateType = CertificateInformation::CertificateType::SoftwareNextcloudCertificate;
         break;
     }
@@ -1131,7 +1200,7 @@
         const auto encryptedMetadataKey = encryptDataWithPublicKey(binaryMetadataKeyForEncryption(), shareUserCertificate);
         if (encryptedMetadataKey.isEmpty()) {
             qCWarning(lcCseMetadata()) << "Could not update folder users with empty encryptedMetadataKey!";
             continue;
         }
 
         folderUser.encryptedMetadataKey = encryptedMetadataKey;
@@ -1145,7 +1214,7 @@
     if (!_isRootEncryptedFolder) {
         return;
     }
     _binaryMetadataKeyForEncryption = EncryptionHelper::generateRandom(metadataKeySize);
     if (!binaryMetadataKeyForEncryption().isEmpty()) {
         _keyChecksums.insert(calcSha256(binaryMetadataKeyForEncryption()));
     }

src/libsync/foldermetadata.h

@@ -1,8 +1,8 @@
 #pragma once
 /*
  * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
 
 #include "accountfwd.h"
 #include "encryptedfoldermetadatahandler.h"
@@ -24,7 +24,7 @@
 namespace OCC
 {
  // Handles parsing and altering the metadata, encryption and decryption. Setup of the instance is always asynchronouse and emits void setupComplete()
 class OWNCLOUDSYNC_EXPORT FolderMetadata : public QObject
 {
     friend class ::TestClientSideEncryptionV2;
     friend class ::TestSecureFileDrop;
@@ -93,11 +93,11 @@
     Q_ENUM(MetadataVersion)
 
     FolderMetadata(AccountPtr account, const QString &remoteFolderRoot, FolderType folderType = FolderType::Nested);
     /*
     * construct metadata based on RootEncryptedFolderInfo
     * as per E2EE V2, the encryption key and users that have access are only stored in root(top-level) encrypted folder's metadata
     * see: https://github.com/nextcloud/end_to_end_encryption_rfc/blob/v2.1/RFC.md
     */
     FolderMetadata(AccountPtr account,
                    const QString &remoteFolderRoot,
                    const QByteArray &metadata,
@@ -131,8 +131,8 @@
     [[nodiscard]] QByteArray encryptedMetadata();
 
     [[nodiscard]] EncryptionStatusEnums::ItemEncryptionStatus existingMetadataEncryptionStatus() const;
     [[nodiscard]] EncryptionStatusEnums::ItemEncryptionStatus encryptedMetadataEncryptionStatus() const;
 
     [[nodiscard]] bool isVersion2AndUp() const;
 
     [[nodiscard]] quint64 newCounter() const;
@@ -144,9 +144,9 @@
     void updateSelfCertificate();
 
     static MetadataVersion setupVersionFromExistingMetadata(const QByteArray &metadata);
 
 public slots:
-    void addEncryptedFile(const OCC::FolderMetadata::EncryptedFile &f);
+    [[nodiscard]] bool addEncryptedFile(const OCC::FolderMetadata::EncryptedFile &f);
     void removeEncryptedFile(const OCC::FolderMetadata::EncryptedFile &f);
     void removeAllEncryptedFiles();
 
@@ -171,6 +171,8 @@
 
     [[nodiscard]] QJsonObject convertFileToJsonObject(const EncryptedFile *encryptedFile) const;
 
+    [[nodiscard]] static bool isOriginalFilenameValid(const QString &originalFilename);
+
     [[nodiscard]] MetadataVersion latestSupportedMetadataVersion() const;
 
     [[nodiscard]] bool parseFileDropPart(const QJsonDocument &doc);
@@ -178,8 +180,8 @@
     void setFileDrop(const QJsonObject &fileDrop);
 
     static EncryptionStatusEnums::ItemEncryptionStatus fromMedataVersionToItemEncryptionStatus(const MetadataVersion metadataVersion);
     static MetadataVersion fromItemEncryptionStatusToMedataVersion(const EncryptionStatusEnums::ItemEncryptionStatus encryptionStatus);
 
     static QByteArray prepareMetadataForSignature(const QJsonDocument &fullMetadata);
 
 private slots:
@@ -192,10 +194,10 @@
 
     void startFetchRootE2eeFolderMetadata(const QString &path);
     void slotRootE2eeFolderMetadataReceived(int statusCode, const QString &message);
 
     void updateUsersEncryptedMetadataKey();
     void createNewMetadataKeyForEncryption();
 
     void emitSetupComplete();
 
 signals:

src/libsync/propagateuploadencrypted.cpp

@@ -1,7 +1,7 @@
 /*
  * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
 #include "propagateuploadencrypted.h"
 #include "clientsideencryptionjobs.h"
 #include "networkjobs.h"
@@ -79,12 +79,12 @@
     return _encryptedFolderMetadataHandler->isFolderLocked();
 }
 
 const QByteArray PropagateUploadEncrypted::folderToken() const
 {
     return _encryptedFolderMetadataHandler ? _encryptedFolderMetadataHandler->folderToken() : QByteArray{};
 }
 
 void PropagateUploadEncrypted::slotFetchMetadataJobFinished(int statusCode, const QString &message)
 {
     qCDebug(lcPropagateUploadEncrypted) << "Metadata Received, Preparing it for the new file." << message;
 
@@ -149,7 +149,7 @@
         QFile output(QDir::tempPath() + QDir::separator() + encryptedFile.encryptedFilename);
 
         QByteArray tag;
         bool encryptionResult = EncryptionHelper::fileEncryption(encryptedFile.encryptionKey, encryptedFile.initializationVector, &input, &output, tag);
 
         if (!encryptionResult) {
             qCWarning(lcPropagateUploadEncrypted()) << "There was an error encrypting the file, aborting upload.";
@@ -163,7 +163,11 @@
 
     qCDebug(lcPropagateUploadEncrypted) << "Creating the metadata for the encrypted file.";
 
-    metadata->addEncryptedFile(encryptedFile);
+    if (!metadata->addEncryptedFile(encryptedFile)) {
+        qCWarning(lcPropagateUploadEncrypted()) << "There was an error encrypting the file, aborting upload. Invalid metadata file name.";
+        emit error();
+        return;
+    }
 
     qCDebug(lcPropagateUploadEncrypted) << "Metadata created, sending to the server.";
 

test/testclientsideencryptionv2.cpp

@@ -104,7 +104,7 @@ private slots:
         encryptedFile.originalFilename = fakeFileName;
         encryptedFile.mimetype = "application/octet-stream";
         encryptedFile.initializationVector = EncryptionHelper::generateRandom(16);
-        metadata->addEncryptedFile(encryptedFile);
+        QVERIFY(metadata->addEncryptedFile(encryptedFile));
 
         const auto encryptedMetadata = metadata->encryptedMetadata();
         QVERIFY(!encryptedMetadata.isEmpty());
@@ -219,6 +219,82 @@ private slots:
         QVERIFY(!metadataFromJson->isValid());
     }
 
+    void testOriginalFilenameValidation_data()
+    {
+        QTest::addColumn<QString>("originalFilename");
+        QTest::addColumn<bool>("isValid");
+
+        QTest::newRow("plain file") << QStringLiteral("document.txt") << true;
+        QTest::newRow("plain folder") << QStringLiteral("Documents") << true;
+        QTest::newRow("hidden file") << QStringLiteral(".hidden") << true;
+        QTest::newRow("empty") << QString() << false;
+        QTest::newRow("current directory") << QStringLiteral(".") << false;
+        QTest::newRow("parent directory") << QStringLiteral("..") << false;
+        QTest::newRow("relative traversal") << QStringLiteral("../../poc_dir") << false;
+        QTest::newRow("embedded slash") << QStringLiteral("folder/file.txt") << false;
+        QTest::newRow("absolute path") << QStringLiteral("/tmp/poc") << false;
+        QTest::newRow("backslash") << QStringLiteral("folder\\file.txt") << false;
+        QTest::newRow("null byte") << QStringLiteral("file") + QChar(0) + QStringLiteral("name") << false;
+    }
+
+    void testOriginalFilenameValidation()
+    {
+        QFETCH(QString, originalFilename);
+        QFETCH(bool, isValid);
+
+        QCOMPARE(FolderMetadata::isOriginalFilenameValid(originalFilename), isValid);
+    }
+
+    void testParseEncryptedFileFromJsonRejectsUnsafeOriginalFilename_data()
+    {
+        testOriginalFilenameValidation_data();
+    }
+
+    void testParseEncryptedFileFromJsonRejectsUnsafeOriginalFilename()
+    {
+        QFETCH(QString, originalFilename);
+        QFETCH(bool, isValid);
+
+        QScopedPointer<FolderMetadata> metadata(new FolderMetadata(_account, "/", FolderMetadata::FolderType::Root));
+        QSignalSpy metadataSetupCompleteSpy(metadata.data(), &FolderMetadata::setupComplete);
+        metadataSetupCompleteSpy.wait();
+        QCOMPARE(metadataSetupCompleteSpy.count(), 1);
+        QVERIFY(metadata->isValid());
+
+        const auto fileJson = QJsonObject{
+            {QStringLiteral("filename"), originalFilename},
+            {QStringLiteral("key"), QString::fromUtf8(QByteArrayLiteral("key").toBase64())},
+            {QStringLiteral("mimetype"), QStringLiteral("application/octet-stream")},
+            {QStringLiteral("nonce"), QString::fromUtf8(QByteArrayLiteral("nonce").toBase64())},
+            {QStringLiteral("authenticationTag"), QString::fromUtf8(QByteArrayLiteral("tag").toBase64())},
+        };
+
+        const auto parsedEncryptedFile = metadata->parseEncryptedFileFromJson(QStringLiteral("encrypted-name"), fileJson);
+        QCOMPARE(!parsedEncryptedFile.originalFilename.isEmpty(), isValid);
+        if (isValid) {
+            QCOMPARE(parsedEncryptedFile.originalFilename, originalFilename);
+        }
+    }
+
+    void testAddEncryptedFileRejectsUnsafeOriginalFilename()
+    {
+        QScopedPointer<FolderMetadata> metadata(new FolderMetadata(_account, "/", FolderMetadata::FolderType::Root));
+        QSignalSpy metadataSetupCompleteSpy(metadata.data(), &FolderMetadata::setupComplete);
+        metadataSetupCompleteSpy.wait();
+        QCOMPARE(metadataSetupCompleteSpy.count(), 1);
+        QVERIFY(metadata->isValid());
+
+        FolderMetadata::EncryptedFile encryptedFile;
+        encryptedFile.encryptionKey = EncryptionHelper::generateRandom(16);
+        encryptedFile.encryptedFilename = EncryptionHelper::generateRandomFilename();
+        encryptedFile.originalFilename = QStringLiteral("folder\\file.txt");
+        encryptedFile.mimetype = "application/octet-stream";
+        encryptedFile.initializationVector = EncryptionHelper::generateRandom(16);
+
+        QVERIFY(!metadata->addEncryptedFile(encryptedFile));
+        QVERIFY(metadata->files().isEmpty());
+    }
+
     void testE2EeFolderMetadataSharing()
     {
         // instantiate empty metadata, add a file, and share with a second user "sharee"
@@ -236,7 +312,7 @@ private slots:
         encryptedFile.originalFilename = fakeFileName;
         encryptedFile.mimetype = "application/octet-stream";
         encryptedFile.initializationVector = EncryptionHelper::generateRandom(16);
-        metadata->addEncryptedFile(encryptedFile);
+        QVERIFY(metadata->addEncryptedFile(encryptedFile));
 
         QVERIFY(metadata->addUser(_secondAccount->davUser(), _secondAccount->e2e()->getCertificate(), FolderMetadata::CertificateType::SoftwareNextcloudCertificate));
 
@@ -327,7 +403,7 @@ private slots:
         encryptedFile.originalFilename = fakeFileNameFromSecondUser;
         encryptedFile.mimetype = "application/octet-stream";
         encryptedFile.initializationVector = EncryptionHelper::generateRandom(16);
-        metadataFromJsonForSecondUser->addEncryptedFile(encryptedFile);
+        QVERIFY(metadataFromJsonForSecondUser->addEncryptedFile(encryptedFile));
 
         auto encryptedMetadataFromSecondUser = metadataFromJsonForSecondUser->encryptedMetadata();
         encryptedMetadataFromSecondUser.replace("\"", "\\\"");

test/testsecurefiledrop.cpp

@@ -87,7 +87,7 @@ private slots:
             encryptedFile.originalFilename = fakeFileName;
             encryptedFile.mimetype = "application/octet-stream";
             encryptedFile.initializationVector = EncryptionHelper::generateRandom(16);
-            metadata->addEncryptedFile(encryptedFile);
+            QVERIFY(metadata->addEncryptedFile(encryptedFile));
         }
 
         QJsonObject fakeFileDropPart;