hotfix: fix _extract_filename for rfc 5987

[NeatGuyCoding]

Important

1. Make sure you have read our contribution guidelines
2. Ensure there is an associated issue and you have been assigned to it
3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

close #28754

This pull request refactors and strengthens the filename extraction logic from remote file URLs and Content-Disposition headers, with a particular focus on proper RFC5987 support and security against path injection. It also introduces a comprehensive set of unit tests to ensure correct behavior across a wide range of scenarios, including encoding edge cases and malicious input.

Filename extraction improvements:

• Refactored the _extract_filename function in file_factory.py to robustly parse RFC5987 filename* parameters, handle charset and language tags, decode percent-encoding, and always sanitize the result using os.path.basename to prevent path injection. The function now also returns None for empty or whitespace-only filenames.
• Added the missing re import to support regular expression parsing in the filename extraction logic.

Testing enhancements:

• Added a new TestExtractFilename class to test_file_factory.py with extensive unit tests covering RFC5987 parsing, encoding/decoding, language tags, fallback behaviors, path injection protection, and edge cases like empty filenames.
• Updated the test imports to include _extract_filename for direct testing.

Screenshots

Before	After
...	...

Checklist

• This change requires a documentation update, included: Dify Document
• I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
• I've updated the documentation accordingly.
• I ran dev/reformat(backend) and cd web && npx lint-staged(frontend) to appease the lint gods

[gemini-code-assist]

Summary of Changes

Hello @NeatGuyCoding, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a hotfix that significantly enhances the _extract_filename utility by implementing full compliance with RFC 5987 for Content-Disposition headers. This ensures that filenames, especially those containing international characters or special symbols, are extracted accurately and securely from remote URLs, thereby improving the reliability and robustness of file handling within the system.

Highlights

• RFC 5987 Compliance: The _extract_filename function has been updated to correctly parse and prioritize the filename* parameter from the Content-Disposition header, adhering to RFC 5987 for internationalized filenames.
• Robust Filename Extraction: The filename extraction logic now includes manual parsing of filename* with support for various character sets (e.g., UTF-8, ISO-8859-1), proper percent-decoding, and fallback mechanisms for malformed headers or when filename* is not present.
• Security Enhancements: Path injection vulnerabilities are mitigated by consistently applying os.path.basename to extracted filenames, ensuring that only the actual filename is returned and preventing directory traversal.
• Comprehensive Unit Tests: A new suite of unit tests has been added for _extract_filename, covering a wide range of scenarios including different Content-Disposition header formats, percent-encoding, RFC 5987 specifics, path injection attempts, and edge cases like empty or whitespace-only filenames.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR fixes filename extraction from HTTP Content-Disposition headers to properly support RFC 5987 encoding, specifically the filename* parameter which allows for UTF-8 encoded filenames.

Key Changes:

• Added proper RFC 5987 filename* parameter parsing with charset/language support
• Enhanced URL path decoding with percent-encoding handling
• Added security protections against path injection attacks

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
api/factories/file_factory.py	Implements RFC 5987 compliant filename extraction with proper charset handling and security measures
api/tests/unit_tests/factories/test_file_factory.py	Adds comprehensive test coverage for RFC 5987 parsing, security scenarios, and edge cases

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[gemini-code-assist]

Code Review

This pull request provides a hotfix for filename extraction from the Content-Disposition header, specifically to add support for RFC 5987's filename* parameter. The new implementation is significantly more robust, handling various encodings and malformed headers. The addition of a comprehensive test suite is a great improvement and ensures the new logic is well-covered. I've identified a couple of areas for improvement to enhance robustness and code quality, detailed in the comments below.