From 813e00479da9f1e380915bc8b1a46d0a5d2a7ecb Mon Sep 17 00:00:00 2001
From: Chomp <dev@dev.sp-tarkov.com>
Date: Tue, 21 Oct 2025 16:52:23 +0100
Subject: [PATCH] Validate filename is mongoId before we load it as profile
 #648

---
 Libraries/SPTarkov.Server.Core/Servers/SaveServer.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Libraries/SPTarkov.Server.Core/Servers/SaveServer.cs b/Libraries/SPTarkov.Server.Core/Servers/SaveServer.cs
index 9d9551dd..cc92ac56 100644
--- a/Libraries/SPTarkov.Server.Core/Servers/SaveServer.cs
+++ b/Libraries/SPTarkov.Server.Core/Servers/SaveServer.cs
@@ -70,7 +70,12 @@ public class SaveServer(
         var stopwatch = Stopwatch.StartNew();
         foreach (var file in files)
         {
-            await LoadProfileAsync(fileUtil.StripExtension(file));
+            // Only allow files that fit the criteria of being a mongo id be parsed
+            var filename = Path.GetFileNameWithoutExtension(file);
+            if (MongoId.IsValidMongoId(filename))
+            {
+                await LoadProfileAsync(fileUtil.StripExtension(file));
+            }
         }
 
         stopwatch.Stop();