Summary:
Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack.
This is the same patch I submitted to create-react-app: https://github.com/facebook/create-react-app/pull/4866
See s163726 for more details
Reviewed By: LukasReschke
Differential Revision: D9504148
fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275