From 6a91c29baf98d5b344c6622403c0a9a3de25e392 Mon Sep 17 00:00:00 2001
From: Bernhard Herzog <bernhard.herzog@intevation.de>
Date: Tue, 9 May 2023 18:46:00 +0200
Subject: [PATCH] Check that filename matches ID in csaf_provider

---
 cmd/csaf_provider/actions.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/csaf_provider/actions.go b/cmd/csaf_provider/actions.go
index 83101d0..084f52f 100644
--- a/cmd/csaf_provider/actions.go
+++ b/cmd/csaf_provider/actions.go
@@ -196,6 +196,11 @@ func (c *controller) upload(r *http.Request) (any, error) {
 		return nil, err
 	}
 
+	if util.CleanFileName(ex.ID) != newCSAF {
+		return nil, fmt.Errorf("ID %q does not match filename %s",
+			ex.ID, newCSAF)
+	}
+
 	// Check if we have to search for dynamic categories.
 	var dynamicCategories []string
 	if catExprs := c.cfg.DynamicCategories(); len(catExprs) > 0 {