🛡️ fix: Enhance File Upload Security & Error Handling (#4705)

* fix: sanitize filename in multer storage callback * fix: ensure temporary image upload file is deleted after processing * fix: prevent cleanup flag from being set to false before actually deleted * refactor: user avatar, typing, use 'file' for formData instead of 'input', add disk storage, use localization * fix: update Avatar component to include image dimensions in formData and refactor editor reference type * fix: refactor avatar upload handling to use fs for file reading and enhance file validation * fix: ensure temporary image upload file is deleted after processing * fix: refactor avatar upload routes and handlers for agents and assistants, improve file handling and validation * fix: improve audio file validation and cleanup * fix: add filename sanitization utility and integrate it into multer storage configuration * fix: update group project ID check for null and refactor delete prompt group response type * fix: invalid access control for deleting prompt groups * fix: add error handling and logging to checkBan middleware * fix: catch conversation parsing errors * chore: revert unnecessary height and width parameters from avatar upload * chore: update librechat-data-provider version to 0.7.55 * style: ensure KaTeX can spread across visible space
2025-12-17 08:50:15 +01:00 · 2024-11-12 16:41:04 -05:00 · 2024-11-12 16:41:04 -05:00 · d012da0065
commit d012da0065
parent 3c94ff2c04
33 changed files with 373 additions and 186 deletions
--- a/api/server/utils/handleText.spec.js
+++ b/api/server/utils/handleText.spec.js
@ -1,4 +1,4 @@
-const { isEnabled } = require('./handleText');
+const { isEnabled, sanitizeFilename } = require('./handleText');

 describe('isEnabled', () => {
  test('should return true when input is "true"', () => {
@ -49,3 +49,51 @@ describe('isEnabled', () => {
    expect(isEnabled([])).toBe(false);
  });
 });
+
+jest.mock('crypto', () => ({
+  randomBytes: jest.fn().mockReturnValue(Buffer.from('abc123', 'hex')),
+}));
+
+describe('sanitizeFilename', () => {
+  test('removes directory components (1/2)', () => {
+    expect(sanitizeFilename('/path/to/file.txt')).toBe('file.txt');
+  });
+
+  test('removes directory components (2/2)', () => {
+    expect(sanitizeFilename('../../../../file.txt')).toBe('file.txt');
+  });
+
+  test('replaces non-alphanumeric characters', () => {
+    expect(sanitizeFilename('file name@#$.txt')).toBe('file_name___.txt');
+  });
+
+  test('preserves dots and hyphens', () => {
+    expect(sanitizeFilename('file-name.with.dots.txt')).toBe('file-name.with.dots.txt');
+  });
+
+  test('prepends underscore to filenames starting with a dot', () => {
+    expect(sanitizeFilename('.hiddenfile')).toBe('_.hiddenfile');
+  });
+
+  test('truncates long filenames', () => {
+    const longName = 'a'.repeat(300) + '.txt';
+    const result = sanitizeFilename(longName);
+    expect(result.length).toBe(255);
+    expect(result).toMatch(/^a+-abc123\.txt$/);
+  });
+
+  test('handles filenames with no extension', () => {
+    const longName = 'a'.repeat(300);
+    const result = sanitizeFilename(longName);
+    expect(result.length).toBe(255);
+    expect(result).toMatch(/^a+-abc123$/);
+  });
+
+  test('handles empty input', () => {
+    expect(sanitizeFilename('')).toBe('_');
+  });
+
+  test('handles input with only special characters', () => {
+    expect(sanitizeFilename('@#$%^&*')).toBe('_______');
+  });
+});