🛡️ fix: Enhance File Upload Security & Error Handling (#4705)

* fix: sanitize filename in multer storage callback * fix: ensure temporary image upload file is deleted after processing * fix: prevent cleanup flag from being set to false before actually deleted * refactor: user avatar, typing, use 'file' for formData instead of 'input', add disk storage, use localization * fix: update Avatar component to include image dimensions in formData and refactor editor reference type * fix: refactor avatar upload handling to use fs for file reading and enhance file validation * fix: ensure temporary image upload file is deleted after processing * fix: refactor avatar upload routes and handlers for agents and assistants, improve file handling and validation * fix: improve audio file validation and cleanup * fix: add filename sanitization utility and integrate it into multer storage configuration * fix: update group project ID check for null and refactor delete prompt group response type * fix: invalid access control for deleting prompt groups * fix: add error handling and logging to checkBan middleware * fix: catch conversation parsing errors * chore: revert unnecessary height and width parameters from avatar upload * chore: update librechat-data-provider version to 0.7.55 * style: ensure KaTeX can spread across visible space
2025-12-31 07:38:52 +01:00 · 2024-11-12 16:41:04 -05:00 · 2024-11-12 16:41:04 -05:00 · d012da0065
commit d012da0065
parent 3c94ff2c04
33 changed files with 373 additions and 186 deletions
--- a/api/server/controllers/agents/v1.js
+++ b/api/server/controllers/agents/v1.js
@ -1,3 +1,4 @@
+const fs = require('fs').promises;
 const { nanoid } = require('nanoid');
 const { FileContext, Constants, Tools, SystemRoles } = require('librechat-data-provider');
 const {
@ -7,8 +8,8 @@ const {
  deleteAgent,
  getListAgents,
 } = require('~/models/Agent');
+const { uploadImageBuffer, filterFile } = require('~/server/services/Files/process');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { uploadImageBuffer } = require('~/server/services/Files/process');
 const { getProjectByName } = require('~/models/Project');
 const { updateAgentProjects } = require('~/models/Agent');
 const { deleteFileByFilter } = require('~/models/File');
@ -210,7 +211,7 @@ const getListAgentsHandler = async (req, res) => {

 /**
 * Uploads and updates an avatar for a specific agent.
- * @route POST /avatar/:agent_id
+ * @route POST /:agent_id/avatar
 * @param {object} req - Express Request
 * @param {object} req.params - Request params
 * @param {string} req.params.agent_id - The ID of the agent.
@ -221,17 +222,17 @@ const getListAgentsHandler = async (req, res) => {
 */
 const uploadAgentAvatarHandler = async (req, res) => {
  try {
+    filterFile({ req, file: req.file, image: true, isAvatar: true });
    const { agent_id } = req.params;
    if (!agent_id) {
      return res.status(400).json({ message: 'Agent ID is required' });
    }

+    const buffer = await fs.readFile(req.file.path);
    const image = await uploadImageBuffer({
      req,
      context: FileContext.avatar,
-      metadata: {
-        buffer: req.file.buffer,
-      },
+      metadata: { buffer },
    });

    let _avatar;
@ -239,7 +240,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
      const agent = await getAgent({ id: agent_id });
      _avatar = agent.avatar;
    } catch (error) {
-      logger.error('[/avatar/:agent_id] Error fetching agent', error);
+      logger.error('[/:agent_id/avatar] Error fetching agent', error);
      _avatar = {};
    }

@ -249,7 +250,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
        await deleteFile(req, { filepath: _avatar.filepath });
        await deleteFileByFilter({ user: req.user.id, filepath: _avatar.filepath });
      } catch (error) {
-        logger.error('[/avatar/:agent_id] Error deleting old avatar', error);
+        logger.error('[/:agent_id/avatar] Error deleting old avatar', error);
      }
    }

@ -270,6 +271,13 @@ const uploadAgentAvatarHandler = async (req, res) => {
    const message = 'An error occurred while updating the Agent Avatar';
    logger.error(message, error);
    res.status(500).json({ message });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/:agent_id/avatar] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/:agent_id/avatar] Temp. image upload file already deleted');
+    }
  }
 };

--- a/api/server/controllers/assistants/v1.js
+++ b/api/server/controllers/assistants/v1.js
@ -1,9 +1,10 @@
+const fs = require('fs').promises;
 const { FileContext } = require('librechat-data-provider');
+const { uploadImageBuffer, filterFile } = require('~/server/services/Files/process');
 const validateAuthor = require('~/server/middleware/assistants/validateAuthor');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { deleteAssistantActions } = require('~/server/services/ActionService');
 const { updateAssistantDoc, getAssistants } = require('~/models/Assistant');
-const { uploadImageBuffer } = require('~/server/services/Files/process');
 const { getOpenAIClient, fetchAssistants } = require('./helpers');
 const { deleteFileByFilter } = require('~/models/File');
 const { logger } = require('~/config');
@ -235,7 +236,7 @@ const getAssistantDocuments = async (req, res) => {

 /**
 * Uploads and updates an avatar for a specific assistant.
- * @route POST /avatar/:assistant_id
+ * @route POST /:assistant_id/avatar
 * @param {object} req - Express Request
 * @param {object} req.params - Request params
 * @param {string} req.params.assistant_id - The ID of the assistant.
@ -245,6 +246,7 @@ const getAssistantDocuments = async (req, res) => {
 */
 const uploadAssistantAvatar = async (req, res) => {
  try {
+    filterFile({ req, file: req.file, image: true, isAvatar: true });
    const { assistant_id } = req.params;
    if (!assistant_id) {
      return res.status(400).json({ message: 'Assistant ID is required' });
@ -253,12 +255,11 @@ const uploadAssistantAvatar = async (req, res) => {
    const { openai } = await getOpenAIClient({ req, res });
    await validateAuthor({ req, openai });

+    const buffer = await fs.readFile(req.file.path);
    const image = await uploadImageBuffer({
      req,
      context: FileContext.avatar,
-      metadata: {
-        buffer: req.file.buffer,
-      },
+      metadata: { buffer },
    });

    let _metadata;
@ -269,7 +270,7 @@ const uploadAssistantAvatar = async (req, res) => {
        _metadata = assistant.metadata;
      }
    } catch (error) {
-      logger.error('[/avatar/:assistant_id] Error fetching assistant', error);
+      logger.error('[/:assistant_id/avatar] Error fetching assistant', error);
      _metadata = {};
    }

@ -279,7 +280,7 @@ const uploadAssistantAvatar = async (req, res) => {
        await deleteFile(req, { filepath: _metadata.avatar });
        await deleteFileByFilter({ user: req.user.id, filepath: _metadata.avatar });
      } catch (error) {
-        logger.error('[/avatar/:assistant_id] Error deleting old avatar', error);
+        logger.error('[/:assistant_id/avatar] Error deleting old avatar', error);
      }
    }

@ -310,6 +311,13 @@ const uploadAssistantAvatar = async (req, res) => {
    const message = 'An error occurred while updating the Assistant Avatar';
    logger.error(message, error);
    res.status(500).json({ message });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/:agent_id/avatar] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/:agent_id/avatar] Temp. image upload file already deleted');
+    }
  }
 };

--- a/api/server/middleware/buildEndpointOption.js
+++ b/api/server/middleware/buildEndpointOption.js
@ -27,7 +27,12 @@ const buildFunction = {

 async function buildEndpointOption(req, res, next) {
  const { endpoint, endpointType } = req.body;
-  let parsedBody = parseCompactConvo({ endpoint, endpointType, conversation: req.body });
+  let parsedBody;
+  try {
+    parsedBody = parseCompactConvo({ endpoint, endpointType, conversation: req.body });
+  } catch (error) {
+    return handleError(res, { text: 'Error parsing conversation' });
+  }

  if (req.app.locals.modelSpecs?.list && req.app.locals.modelSpecs?.enforce) {
    /** @type {{ list: TModelSpec[] }}*/
@ -56,11 +61,15 @@ async function buildEndpointOption(req, res, next) {
      });
    }

-    parsedBody = parseCompactConvo({
-      endpoint,
-      endpointType,
-      conversation: currentModelSpec.preset,
-    });
+    try {
+      parsedBody = parseCompactConvo({
+        endpoint,
+        endpointType,
+        conversation: currentModelSpec.preset,
+      });
+    } catch (error) {
+      return handleError(res, { text: 'Error parsing model spec' });
+    }
  }

  const endpointFn = buildFunction[endpointType ?? endpoint];
--- a/api/server/middleware/checkBan.js
+++ b/api/server/middleware/checkBan.js
@ -6,6 +6,7 @@ const keyvMongo = require('~/cache/keyvMongo');
 const denyRequest = require('./denyRequest');
 const { getLogStores } = require('~/cache');
 const { findUser } = require('~/models');
+const { logger } = require('~/config');

 const banCache = new Keyv({ store: keyvMongo, namespace: ViolationTypes.BAN, ttl: 0 });
 const message = 'Your account has been temporarily banned due to violations of our service.';
@ -45,92 +46,96 @@ const banResponse = async (req, res) => {
 * @returns {Promise<function|Object>} - Returns a Promise which when resolved calls next middleware if user or source IP is not banned. Otherwise calls `banResponse()` and sets ban details in `banCache`.
 */
 const checkBan = async (req, res, next = () => {}) => {
-  const { BAN_VIOLATIONS } = process.env ?? {};
+  try {
+    const { BAN_VIOLATIONS } = process.env ?? {};

-  if (!isEnabled(BAN_VIOLATIONS)) {
-    return next();
-  }
+    if (!isEnabled(BAN_VIOLATIONS)) {
+      return next();
+    }

-  req.ip = removePorts(req);
-  let userId = req.user?.id ?? req.user?._id ?? null;
+    req.ip = removePorts(req);
+    let userId = req.user?.id ?? req.user?._id ?? null;

-  if (!userId && req?.body?.email) {
-    const user = await findUser({ email: req.body.email }, '_id');
-    userId = user?._id ? user._id.toString() : userId;
-  }
+    if (!userId && req?.body?.email) {
+      const user = await findUser({ email: req.body.email }, '_id');
+      userId = user?._id ? user._id.toString() : userId;
+    }

-  if (!userId && !req.ip) {
-    return next();
-  }
+    if (!userId && !req.ip) {
+      return next();
+    }

-  let cachedIPBan;
-  let cachedUserBan;
+    let cachedIPBan;
+    let cachedUserBan;

-  let ipKey = '';
-  let userKey = '';
+    let ipKey = '';
+    let userKey = '';

-  if (req.ip) {
-    ipKey = isEnabled(process.env.USE_REDIS) ? `ban_cache:ip:${req.ip}` : req.ip;
-    cachedIPBan = await banCache.get(ipKey);
-  }
+    if (req.ip) {
+      ipKey = isEnabled(process.env.USE_REDIS) ? `ban_cache:ip:${req.ip}` : req.ip;
+      cachedIPBan = await banCache.get(ipKey);
+    }

-  if (userId) {
-    userKey = isEnabled(process.env.USE_REDIS) ? `ban_cache:user:${userId}` : userId;
-    cachedUserBan = await banCache.get(userKey);
-  }
+    if (userId) {
+      userKey = isEnabled(process.env.USE_REDIS) ? `ban_cache:user:${userId}` : userId;
+      cachedUserBan = await banCache.get(userKey);
+    }

-  const cachedBan = cachedIPBan || cachedUserBan;
+    const cachedBan = cachedIPBan || cachedUserBan;
+
+    if (cachedBan) {
+      req.banned = true;
+      return await banResponse(req, res);
+    }
+
+    const banLogs = getLogStores(ViolationTypes.BAN);
+    const duration = banLogs.opts.ttl;
+
+    if (duration <= 0) {
+      return next();
+    }
+
+    let ipBan;
+    let userBan;
+
+    if (req.ip) {
+      ipBan = await banLogs.get(req.ip);
+    }
+
+    if (userId) {
+      userBan = await banLogs.get(userId);
+    }
+
+    const isBanned = !!(ipBan || userBan);
+
+    if (!isBanned) {
+      return next();
+    }
+
+    const timeLeft = Number(isBanned.expiresAt) - Date.now();
+
+    if (timeLeft <= 0 && ipKey) {
+      await banLogs.delete(ipKey);
+    }
+
+    if (timeLeft <= 0 && userKey) {
+      await banLogs.delete(userKey);
+      return next();
+    }
+
+    if (ipKey) {
+      banCache.set(ipKey, isBanned, timeLeft);
+    }
+
+    if (userKey) {
+      banCache.set(userKey, isBanned, timeLeft);
+    }

-  if (cachedBan) {
    req.banned = true;
    return await banResponse(req, res);
+  } catch (error) {
+    logger.error('Error in checkBan middleware:', error);
  }
-
-  const banLogs = getLogStores(ViolationTypes.BAN);
-  const duration = banLogs.opts.ttl;
-
-  if (duration <= 0) {
-    return next();
-  }
-
-  let ipBan;
-  let userBan;
-
-  if (req.ip) {
-    ipBan = await banLogs.get(req.ip);
-  }
-
-  if (userId) {
-    userBan = await banLogs.get(userId);
-  }
-
-  const isBanned = !!(ipBan || userBan);
-
-  if (!isBanned) {
-    return next();
-  }
-
-  const timeLeft = Number(isBanned.expiresAt) - Date.now();
-
-  if (timeLeft <= 0 && ipKey) {
-    await banLogs.delete(ipKey);
-  }
-
-  if (timeLeft <= 0 && userKey) {
-    await banLogs.delete(userKey);
-    return next();
-  }
-
-  if (ipKey) {
-    banCache.set(ipKey, isBanned, timeLeft);
-  }
-
-  if (userKey) {
-    banCache.set(userKey, isBanned, timeLeft);
-  }
-
-  req.banned = true;
-  return await banResponse(req, res);
 };

 module.exports = checkBan;
--- a/api/server/routes/agents/index.js
+++ b/api/server/routes/agents/index.js
@ -9,7 +9,7 @@ const {
  // messageUserLimiter,
 } = require('~/server/middleware');

-const v1 = require('./v1');
+const { v1 } = require('./v1');
 const chat = require('./chat');

 router.use(requireJwtAuth);
--- a/api/server/routes/agents/v1.js
+++ b/api/server/routes/agents/v1.js
@ -1,4 +1,3 @@
-const multer = require('multer');
 const express = require('express');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
@ -6,8 +5,8 @@ const v1 = require('~/server/controllers/agents/v1');
 const actions = require('./actions');
 const tools = require('./tools');

-const upload = multer();
 const router = express.Router();
+const avatar = express.Router();

 const checkAgentAccess = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
 const checkAgentCreate = generateCheckAccess(PermissionTypes.AGENTS, [
@ -81,12 +80,12 @@ router.get('/', checkAgentAccess, v1.getListAgents);

 /**
 * Uploads and updates an avatar for a specific agent.
- * @route POST /avatar/:agent_id
+ * @route POST /agents/:agent_id/avatar
 * @param {string} req.params.agent_id - The ID of the agent.
 * @param {Express.Multer.File} req.file - The avatar image file.
 * @param {string} [req.body.metadata] - Optional metadata for the agent's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/avatar/:agent_id', checkAgentAccess, upload.single('file'), v1.uploadAgentAvatar);
+avatar.post('/:agent_id/avatar/', checkAgentAccess, v1.uploadAgentAvatar);

-module.exports = router;
+module.exports = { v1: router, avatar };
--- a/api/server/routes/assistants/index.js
+++ b/api/server/routes/assistants/index.js
@ -2,7 +2,7 @@ const express = require('express');
 const router = express.Router();
 const { uaParser, checkBan, requireJwtAuth } = require('~/server/middleware');

-const v1 = require('./v1');
+const { v1 } = require('./v1');
 const chatV1 = require('./chatV1');
 const v2 = require('./v2');
 const chatV2 = require('./chatV2');
--- a/api/server/routes/assistants/v1.js
+++ b/api/server/routes/assistants/v1.js
@ -1,12 +1,11 @@
-const multer = require('multer');
 const express = require('express');
 const controllers = require('~/server/controllers/assistants/v1');
 const documents = require('./documents');
 const actions = require('./actions');
 const tools = require('./tools');

-const upload = multer();
 const router = express.Router();
+const avatar = express.Router();

 /**
 * Assistant actions route.
@ -71,12 +70,12 @@ router.get('/', controllers.listAssistants);

 /**
 * Uploads and updates an avatar for a specific assistant.
- * @route POST /avatar/:assistant_id
+ * @route POST /assistants/:assistant_id/avatar/
 * @param {string} req.params.assistant_id - The ID of the assistant.
 * @param {Express.Multer.File} req.file - The avatar image file.
 * @param {string} [req.body.metadata] - Optional metadata for the assistant's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/avatar/:assistant_id', upload.single('file'), controllers.uploadAssistantAvatar);
+avatar.post('/:assistant_id/avatar/', controllers.uploadAssistantAvatar);

-module.exports = router;
+module.exports = { v1: router, avatar };
--- a/api/server/routes/assistants/v2.js
+++ b/api/server/routes/assistants/v2.js
@ -1,4 +1,3 @@
-const multer = require('multer');
 const express = require('express');
 const v1 = require('~/server/controllers/assistants/v1');
 const v2 = require('~/server/controllers/assistants/v2');
@ -6,7 +5,6 @@ const documents = require('./documents');
 const actions = require('./actions');
 const tools = require('./tools');

-const upload = multer();
 const router = express.Router();

 /**
@ -78,6 +76,6 @@ router.get('/', v1.listAssistants);
 * @param {string} [req.body.metadata] - Optional metadata for the assistant's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/avatar/:assistant_id', upload.single('file'), v1.uploadAssistantAvatar);
+router.post('/avatar/:assistant_id', v1.uploadAssistantAvatar);

 module.exports = router;
--- a/api/server/routes/files/avatar.js
+++ b/api/server/routes/files/avatar.js
@ -1,17 +1,18 @@
-const multer = require('multer');
+const fs = require('fs').promises;
 const express = require('express');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
+const { filterFile } = require('~/server/services/Files/process');
 const { logger } = require('~/config');

-const upload = multer();
 const router = express.Router();

-router.post('/', upload.single('input'), async (req, res) => {
+router.post('/', async (req, res) => {
  try {
+    filterFile({ req, file: req.file, image: true, isAvatar: true });
    const userId = req.user.id;
    const { manual } = req.body;
-    const input = req.file.buffer;
+    const input = await fs.readFile(req.file.path);

    if (!userId) {
      throw new Error('User ID is undefined');
@ -33,6 +34,13 @@ router.post('/', upload.single('input'), async (req, res) => {
    const message = 'An error occurred while uploading the profile picture';
    logger.error(message, error);
    res.status(500).json({ message });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/files/images/avatar] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/files/images/avatar] Temp. image upload file already deleted');
+    }
  }
 });

--- a/api/server/routes/files/files.js
+++ b/api/server/routes/files/files.js
@ -231,7 +231,6 @@ router.post('/', async (req, res) => {
  } catch (error) {
    let message = 'Error processing file';
    logger.error('[/files] Error processing file:', error);
-    cleanup = false;

    if (error.message?.includes('file_ids')) {
      message += ': ' + error.message;
@ -240,6 +239,7 @@ router.post('/', async (req, res) => {
    // TODO: delete remote file if it exists
    try {
      await fs.unlink(file.path);
+      cleanup = false;
    } catch (error) {
      logger.error('[/files] Error deleting file:', error);
    }
--- a/api/server/routes/files/images.js
+++ b/api/server/routes/files/images.js
@ -30,6 +30,13 @@ router.post('/', async (req, res) => {
      logger.error('[/files/images] Error deleting file:', error);
    }
    res.status(500).json({ message: 'Error processing file' });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/files/images] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/files/images] Temp. image upload file already deleted');
+    }
  }
 });

--- a/api/server/routes/files/index.js
+++ b/api/server/routes/files/index.js
@ -1,5 +1,7 @@
 const express = require('express');
 const { uaParser, checkBan, requireJwtAuth, createFileLimiters } = require('~/server/middleware');
+const { avatar: asstAvatarRouter } = require('~/server/routes/assistants/v1');
+const { avatar: agentAvatarRouter } = require('~/server/routes/agents/v1');
 const { createMulterInstance } = require('./multer');

 const files = require('./files');
@ -13,18 +15,25 @@ const initialize = async () => {
  router.use(checkBan);
  router.use(uaParser);

+  const upload = await createMulterInstance();
+  router.post('/speech/stt', upload.single('audio'));
+
  /* Important: speech route must be added before the upload limiters */
  router.use('/speech', speech);

-  const upload = await createMulterInstance();
  const { fileUploadIpLimiter, fileUploadUserLimiter } = createFileLimiters();
  router.post('*', fileUploadIpLimiter, fileUploadUserLimiter);
  router.post('/', upload.single('file'));
  router.post('/images', upload.single('file'));
+  router.post('/images/avatar', upload.single('file'));
+  router.post('/images/agents/:agent_id/avatar', upload.single('file'));
+  router.post('/images/assistants/:assistant_id/avatar', upload.single('file'));

  router.use('/', files);
  router.use('/images', images);
  router.use('/images/avatar', avatar);
+  router.use('/images/agents', agentAvatarRouter);
+  router.use('/images/assistants', asstAvatarRouter);
  return router;
 };

--- a/api/server/routes/files/multer.js
+++ b/api/server/routes/files/multer.js
@ -3,6 +3,7 @@ const path = require('path');
 const crypto = require('crypto');
 const multer = require('multer');
 const { fileConfig: defaultFileConfig, mergeFileConfig } = require('librechat-data-provider');
+const { sanitizeFilename } = require('~/server/utils/handleText');
 const { getCustomConfig } = require('~/server/services/Config');

 const storage = multer.diskStorage({
@ -16,7 +17,8 @@ const storage = multer.diskStorage({
  filename: function (req, file, cb) {
    req.file_id = crypto.randomUUID();
    file.originalname = decodeURIComponent(file.originalname);
-    cb(null, `${file.originalname}`);
+    const sanitizedFilename = sanitizeFilename(file.originalname);
+    cb(null, sanitizedFilename);
  },
 });

@ -45,6 +47,10 @@ const createFileFilter = (customFileConfig) => {
      return cb(new Error('No file provided'), false);
    }

+    if (req.originalUrl.endsWith('/speech/stt') && file.mimetype.startsWith('audio/')) {
+      return cb(null, true);
+    }
+
    const endpoint = req.body.endpoint;
    const supportedTypes =
      customFileConfig?.endpoints?.[endpoint]?.supportedMimeTypes ??
--- a/api/server/routes/files/speech/stt.js
+++ b/api/server/routes/files/speech/stt.js
@ -1,13 +1,8 @@
 const express = require('express');
-const router = express.Router();
-const multer = require('multer');
-const { requireJwtAuth } = require('~/server/middleware/');
 const { speechToText } = require('~/server/services/Files/Audio');

-const upload = multer();
+const router = express.Router();

-router.post('/', requireJwtAuth, upload.single('audio'), async (req, res) => {
-  await speechToText(req, res);
-});
+router.post('/', speechToText);

 module.exports = router;
--- a/api/server/routes/prompts.js
+++ b/api/server/routes/prompts.js
@ -214,7 +214,7 @@ const deletePromptController = async (req, res) => {
    const { promptId } = req.params;
    const { groupId } = req.query;
    const author = req.user.id;
-    const query = { promptId, groupId, author, role: req.user.role };
+    const query = { promptId, groupId, author };
    if (req.user.role === SystemRoles.ADMIN) {
      delete query.author;
    }
@ -226,11 +226,24 @@ const deletePromptController = async (req, res) => {
  }
 };

-router.delete('/:promptId', checkPromptCreate, deletePromptController);
+/**
+ * Delete a prompt group
+ * @param {ServerRequest} req
+ * @param {ServerResponse} res
+ * @returns {Promise<TDeletePromptGroupResponse>}
+ */
+const deletePromptGroupController = async (req, res) => {
+  try {
+    const { groupId: _id } = req.params;
+    const message = await deletePromptGroup({ _id, author: req.user.id, role: req.user.role });
+    res.send(message);
+  } catch (error) {
+    logger.error('Error deleting prompt group', error);
+    res.status(500).send({ message: 'Error deleting prompt group' });
+  }
+};

-router.delete('/groups/:groupId', checkPromptCreate, async (req, res) => {
-  const { groupId } = req.params;
-  res.status(200).send(await deletePromptGroup(groupId));
-});
+router.delete('/:promptId', checkPromptCreate, deletePromptController);
+router.delete('/groups/:groupId', checkPromptCreate, deletePromptGroupController);

 module.exports = router;
--- a/api/server/services/Files/Audio/STTService.js
+++ b/api/server/services/Files/Audio/STTService.js
@ -1,4 +1,5 @@
 const axios = require('axios');
+const fs = require('fs').promises;
 const FormData = require('form-data');
 const { Readable } = require('stream');
 const { extractEnvVariable, STTProviders } = require('librechat-data-provider');
@ -200,11 +201,11 @@ class STTService {
   * @returns {Promise<void>}
   */
  async processTextToSpeech(req, res) {
-    if (!req.file || !req.file.buffer) {
+    if (!req.file) {
      return res.status(400).json({ message: 'No audio file provided in the FormData' });
    }

-    const audioBuffer = req.file.buffer;
+    const audioBuffer = await fs.readFile(req.file.path);
    const audioFile = {
      originalname: req.file.originalname,
      mimetype: req.file.mimetype,
@ -218,6 +219,13 @@ class STTService {
    } catch (error) {
      logger.error('An error occurred while processing the audio:', error);
      res.sendStatus(500);
+    } finally {
+      try {
+        await fs.unlink(req.file.path);
+        logger.debug('[/speech/stt] Temp. audio upload file deleted');
+      } catch (error) {
+        logger.debug('[/speech/stt] Temp. audio upload file already deleted');
+      }
    }
  }
 }
--- a/api/server/services/Files/process.js
+++ b/api/server/services/Files/process.js
@ -716,14 +716,15 @@ async function retrieveAndProcessFile({
 * @param {number} [params.req.version]
 * @param {Express.Multer.File} params.file - The file uploaded to the server via multer.
 * @param {boolean} [params.image] - Whether the file expected is an image.
+ * @param {boolean} [params.isAvatar] - Whether the file expected is a user or entity avatar.
 * @returns {void}
 *
 * @throws {Error} If a file exception is caught (invalid file size or type, lack of metadata).
 */
-function filterFile({ req, file, image }) {
+function filterFile({ req, file, image, isAvatar }) {
  const { endpoint, file_id, width, height } = req.body;

-  if (!file_id) {
+  if (!file_id && !isAvatar) {
    throw new Error('No file_id provided');
  }

@ -732,20 +733,25 @@ function filterFile({ req, file, image }) {
  }

  /* parse to validate api call, throws error on fail */
-  isUUID.parse(file_id);
+  if (!isAvatar) {
+    isUUID.parse(file_id);
+  }

-  if (!endpoint) {
+  if (!endpoint && !isAvatar) {
    throw new Error('No endpoint provided');
  }

  const fileConfig = mergeFileConfig(req.app.locals.fileConfig);

-  const { fileSizeLimit, supportedMimeTypes } =
+  const { fileSizeLimit: sizeLimit, supportedMimeTypes } =
    fileConfig.endpoints[endpoint] ?? fileConfig.endpoints.default;
+  const fileSizeLimit = isAvatar === true ? fileConfig.avatarSizeLimit : sizeLimit;

  if (file.size > fileSizeLimit) {
    throw new Error(
-      `File size limit of ${fileSizeLimit / megabyte} MB exceeded for ${endpoint} endpoint`,
+      `File size limit of ${fileSizeLimit / megabyte} MB exceeded for ${
+        isAvatar ? 'avatar upload' : `${endpoint} endpoint`
+      }`,
    );
  }

@ -755,7 +761,7 @@ function filterFile({ req, file, image }) {
    throw new Error('Unsupported file type');
  }

-  if (!image) {
+  if (!image || isAvatar === true) {
    return;
  }

--- a/api/server/utils/handleText.js
+++ b/api/server/utils/handleText.js
@ -1,3 +1,5 @@
+const path = require('path');
+const crypto = require('crypto');
 const {
  Capabilities,
  EModelEndpoint,
@ -222,6 +224,38 @@ function normalizeEndpointName(name = '') {
  return name.toLowerCase() === Providers.OLLAMA ? Providers.OLLAMA : name;
 }

+/**
+ * Sanitize a filename by removing any directory components, replacing non-alphanumeric characters
+ * @param {string} inputName
+ * @returns {string}
+ */
+function sanitizeFilename(inputName) {
+  // Remove any directory components
+  let name = path.basename(inputName);
+
+  // Replace any non-alphanumeric characters except for '.' and '-'
+  name = name.replace(/[^a-zA-Z0-9.-]/g, '_');
+
+  // Ensure the name doesn't start with a dot (hidden file in Unix-like systems)
+  if (name.startsWith('.') || name === '') {
+    name = '_' + name;
+  }
+
+  // Limit the length of the filename
+  const MAX_LENGTH = 255;
+  if (name.length > MAX_LENGTH) {
+    const ext = path.extname(name);
+    const nameWithoutExt = path.basename(name, ext);
+    name =
+      nameWithoutExt.slice(0, MAX_LENGTH - ext.length - 7) +
+      '-' +
+      crypto.randomBytes(3).toString('hex') +
+      ext;
+  }
+
+  return name;
+}
+
 module.exports = {
  isEnabled,
  handleText,
@ -231,5 +265,6 @@ module.exports = {
  generateConfig,
  addSpaceIfNeeded,
  createOnProgress,
+  sanitizeFilename,
  normalizeEndpointName,
 };
--- a/api/server/utils/handleText.spec.js
+++ b/api/server/utils/handleText.spec.js
@ -1,4 +1,4 @@
-const { isEnabled } = require('./handleText');
+const { isEnabled, sanitizeFilename } = require('./handleText');

 describe('isEnabled', () => {
  test('should return true when input is "true"', () => {
@ -49,3 +49,51 @@ describe('isEnabled', () => {
    expect(isEnabled([])).toBe(false);
  });
 });
+
+jest.mock('crypto', () => ({
+  randomBytes: jest.fn().mockReturnValue(Buffer.from('abc123', 'hex')),
+}));
+
+describe('sanitizeFilename', () => {
+  test('removes directory components (1/2)', () => {
+    expect(sanitizeFilename('/path/to/file.txt')).toBe('file.txt');
+  });
+
+  test('removes directory components (2/2)', () => {
+    expect(sanitizeFilename('../../../../file.txt')).toBe('file.txt');
+  });
+
+  test('replaces non-alphanumeric characters', () => {
+    expect(sanitizeFilename('file name@#$.txt')).toBe('file_name___.txt');
+  });
+
+  test('preserves dots and hyphens', () => {
+    expect(sanitizeFilename('file-name.with.dots.txt')).toBe('file-name.with.dots.txt');
+  });
+
+  test('prepends underscore to filenames starting with a dot', () => {
+    expect(sanitizeFilename('.hiddenfile')).toBe('_.hiddenfile');
+  });
+
+  test('truncates long filenames', () => {
+    const longName = 'a'.repeat(300) + '.txt';
+    const result = sanitizeFilename(longName);
+    expect(result.length).toBe(255);
+    expect(result).toMatch(/^a+-abc123\.txt$/);
+  });
+
+  test('handles filenames with no extension', () => {
+    const longName = 'a'.repeat(300);
+    const result = sanitizeFilename(longName);
+    expect(result.length).toBe(255);
+    expect(result).toMatch(/^a+-abc123$/);
+  });
+
+  test('handles empty input', () => {
+    expect(sanitizeFilename('')).toBe('_');
+  });
+
+  test('handles input with only special characters', () => {
+    expect(sanitizeFilename('@#$%^&*')).toBe('_______');
+  });
+});