Regex that removes all non-alphanumeric, single periods, and single slashes

Question

I'm trying to whitelist characters for filenames and prevent path manipulation. We take a filename returned from the frontend (i know.) and parse it to determine if it's in a specified folder. As such we need to make sure the user isn't passing in a file that could escape out of the specified folder. This means our case for a valid filename is:

• Alphanumeric
• Can include single slashes of either direction
• Can include single dots but not pairs.

So "APP-TEST-file.20161115.1" is valid but "/../../test//\" needs to have some characters removed prior to checking the filesystem.

Here's the regex I've got now, unfortunately it's removing too much.

public static String validateFilePath(String fileName) {
    return fileName.replaceAll("[^A-Za-z0-9]+[(\\.\\/)\\+2]", "");
}

Such that "APP-TEST-file.20161115.1" is becoming "APP-TEST-file0161115.1"

Any help would be appriciated.

Answer 1

Do you want something like this? (I am not clear about what you want!)

String filename = "APP-TEST-file.20161115.1";
// replace two consecutive dots with a single dot
filename = filename.replaceAll("\\.+", ".");
// replace two consecutive forward slash with a single forward slash
filename = filename.replaceAll("/+", "/");
// replace two consecutive baskslash with a backslash
filename = filename.replaceAll("\\\\+", "\\\\");
// allow alphanumeric characters, dots and both type of slashes
filename = filename.replaceAll("[^A-Za-z0-9./\\\\]+", "");
System.out.println(filename);

It prints:

APPTESTfile.20161115.1

If filename="/../../test//\\", then it prints - /././test/\.