Java - programmatically check for invalid characters in file name

Question

Recently, we had someone upload a file that contained illegal characters in the name (double hyphen) which resulted in the inability to redownload the file. In this instance the file name was
Some name -- some other information

For the upload, the file name gets set by getting the original file name which is a business rule.

file.setFileName(file.getFile().getOriginalFilename());

This resulted in the double hyphen becoming two upside down question marks, and for whatever reason resulted in the inability to retrieve the file back from the server.

I'm wondering if there is a programmatic solution to check the original file name for situation like this.

For transparency, here is the code for uploading the file:

 public void saveOpcertCeuFile(OpcertCeuFileUpload file) {
        UmdContact user = secUtilService.getActiveUser();
        String username = user.getEmail();
        Date now = new Date();

        file.setCreatedTs(now);
        file.setLastUpdatedTs(now);
        file.setCreatedBy(username);
        file.setLastUpdatedBy(username);
        file.setFileName(file.getFile().getOriginalFilename());
        file.setIsApproved(Boolean.FALSE);
        file.setIsDeleted(Boolean.FALSE);

        try {
            file.setByteContents(file.getFile().getBytes());
        } catch (Exception ex) {
            log.info(ex);
            throw new RuntimeException(ex);
        }
        dao.insertOpcertCeuFileUpload(file);

        Path path = this.getOptcertCeuFilePath(file);
        String configF = envService.getServerUrl();
        file.setFilePath(String.valueOf(path));
        dao.updateOpcertCeuFilePath(file);

        try {
            File file1 = path.toFile();
            file1.getParentFile().mkdirs();
            Files.write(path, file.getByteContents(), StandardOpenOption.CREATE_NEW);
        } catch (Exception ex) {
            throw new RuntimeException(ex);
        }
    }

Answer 1

Your filesystem, your rules

If you want to store files, name them according to whatever rules you want, but don't let the user dictate the name. Will there be name conflicts? Does a filename contain invalid characters? You never know.

So use your own naming conventions. But you say that there is some business rule to force you to keep the original filename. So just do that in another place.

For instance, you get the file Hello--World.txt, use the name 20201124-000001.uploaded on your filesystem, but then store in some metadata that the filename is Hello--World.txt. When somebody wants to download that filename, just provide the original filename as the download. This way you keep the metadata associated to your filename, but you keep your system secure.

Example in your code:

// Name on filesystem.
file.setFileName(date + "-" + orderingNumberForDate(date) + ".uploaded");     

// Name in the metadata (text or db)
file.setOriginalFileName(file.getFile().getOriginalFilename());