🛡️ fix: Enhance File Upload Security & Error Handling (#4705)

* fix: sanitize filename in multer storage callback * fix: ensure temporary image upload file is deleted after processing * fix: prevent cleanup flag from being set to false before actually deleted * refactor: user avatar, typing, use 'file' for formData instead of 'input', add disk storage, use localization * fix: update Avatar component to include image dimensions in formData and refactor editor reference type * fix: refactor avatar upload handling to use fs for file reading and enhance file validation * fix: ensure temporary image upload file is deleted after processing * fix: refactor avatar upload routes and handlers for agents and assistants, improve file handling and validation * fix: improve audio file validation and cleanup * fix: add filename sanitization utility and integrate it into multer storage configuration * fix: update group project ID check for null and refactor delete prompt group response type * fix: invalid access control for deleting prompt groups * fix: add error handling and logging to checkBan middleware * fix: catch conversation parsing errors * chore: revert unnecessary height and width parameters from avatar upload * chore: update librechat-data-provider version to 0.7.55 * style: ensure KaTeX can spread across visible space
2025-12-17 17:00:15 +01:00 · 2024-11-12 16:41:04 -05:00 · 2024-11-12 16:41:04 -05:00 · d012da0065
commit d012da0065
parent 3c94ff2c04
33 changed files with 373 additions and 186 deletions
--- a/api/models/Prompt.js
+++ b/api/models/Prompt.js
@ -92,7 +92,7 @@ const createAllGroupsPipeline = (

 /**
 * Get all prompt groups with filters
- * @param {Object} req
+ * @param {ServerRequest} req
 * @param {TPromptGroupsWithFilterRequest} filter
 * @returns {Promise<PromptGroupListResponse>}
 */
@ -142,7 +142,7 @@ const getAllPromptGroups = async (req, filter) => {

 /**
 * Get prompt groups with filters
- * @param {Object} req
+ * @param {ServerRequest} req
 * @param {TPromptGroupsWithFilterRequest} filter
 * @returns {Promise<PromptGroupListResponse>}
 */
@ -213,8 +213,34 @@ const getPromptGroups = async (req, filter) => {
  }
 };

+/**
+ * @param {Object} fields
+ * @param {string} fields._id
+ * @param {string} fields.author
+ * @param {string} fields.role
+ * @returns {Promise<TDeletePromptGroupResponse>}
+ */
+const deletePromptGroup = async ({ _id, author, role }) => {
+  const query = { _id, author };
+  const groupQuery = { groupId: new ObjectId(_id), author };
+  if (role === SystemRoles.ADMIN) {
+    delete query.author;
+    delete groupQuery.author;
+  }
+  const response = await PromptGroup.deleteOne(query);
+
+  if (!response || response.deletedCount === 0) {
+    throw new Error('Prompt group not found');
+  }
+
+  await Prompt.deleteMany(groupQuery);
+  await removeGroupFromAllProjects(_id);
+  return { message: 'Prompt group deleted successfully' };
+};
+
 module.exports = {
  getPromptGroups,
+  deletePromptGroup,
  getAllPromptGroups,
  /**
   * Create a prompt and its respective group
@ -510,20 +536,4 @@ module.exports = {
      return { message: 'Error updating prompt labels' };
    }
  },
-  deletePromptGroup: async (_id) => {
-    try {
-      const response = await PromptGroup.deleteOne({ _id });
-
-      if (response.deletedCount === 0) {
-        return { promptGroup: 'Prompt group not found' };
-      }
-
-      await Prompt.deleteMany({ groupId: new ObjectId(_id) });
-      await removeGroupFromAllProjects(_id);
-      return { promptGroup: 'Prompt group deleted successfully' };
-    } catch (error) {
-      logger.error('Error deleting prompt group', error);
-      return { message: 'Error deleting prompt group' };
-    }
-  },
 };
--- a/api/server/controllers/agents/v1.js
+++ b/api/server/controllers/agents/v1.js
@ -1,3 +1,4 @@
+const fs = require('fs').promises;
 const { nanoid } = require('nanoid');
 const { FileContext, Constants, Tools, SystemRoles } = require('librechat-data-provider');
 const {
@ -7,8 +8,8 @@ const {
  deleteAgent,
  getListAgents,
 } = require('~/models/Agent');
+const { uploadImageBuffer, filterFile } = require('~/server/services/Files/process');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
-const { uploadImageBuffer } = require('~/server/services/Files/process');
 const { getProjectByName } = require('~/models/Project');
 const { updateAgentProjects } = require('~/models/Agent');
 const { deleteFileByFilter } = require('~/models/File');
@ -210,7 +211,7 @@ const getListAgentsHandler = async (req, res) => {

 /**
 * Uploads and updates an avatar for a specific agent.
- * @route POST /avatar/:agent_id
+ * @route POST /:agent_id/avatar
 * @param {object} req - Express Request
 * @param {object} req.params - Request params
 * @param {string} req.params.agent_id - The ID of the agent.
@ -221,17 +222,17 @@ const getListAgentsHandler = async (req, res) => {
 */
 const uploadAgentAvatarHandler = async (req, res) => {
  try {
+    filterFile({ req, file: req.file, image: true, isAvatar: true });
    const { agent_id } = req.params;
    if (!agent_id) {
      return res.status(400).json({ message: 'Agent ID is required' });
    }

+    const buffer = await fs.readFile(req.file.path);
    const image = await uploadImageBuffer({
      req,
      context: FileContext.avatar,
-      metadata: {
-        buffer: req.file.buffer,
-      },
+      metadata: { buffer },
    });

    let _avatar;
@ -239,7 +240,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
      const agent = await getAgent({ id: agent_id });
      _avatar = agent.avatar;
    } catch (error) {
-      logger.error('[/avatar/:agent_id] Error fetching agent', error);
+      logger.error('[/:agent_id/avatar] Error fetching agent', error);
      _avatar = {};
    }

@ -249,7 +250,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
        await deleteFile(req, { filepath: _avatar.filepath });
        await deleteFileByFilter({ user: req.user.id, filepath: _avatar.filepath });
      } catch (error) {
-        logger.error('[/avatar/:agent_id] Error deleting old avatar', error);
+        logger.error('[/:agent_id/avatar] Error deleting old avatar', error);
      }
    }

@ -270,6 +271,13 @@ const uploadAgentAvatarHandler = async (req, res) => {
    const message = 'An error occurred while updating the Agent Avatar';
    logger.error(message, error);
    res.status(500).json({ message });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/:agent_id/avatar] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/:agent_id/avatar] Temp. image upload file already deleted');
+    }
  }
 };

--- a/api/server/controllers/assistants/v1.js
+++ b/api/server/controllers/assistants/v1.js
@ -1,9 +1,10 @@
+const fs = require('fs').promises;
 const { FileContext } = require('librechat-data-provider');
+const { uploadImageBuffer, filterFile } = require('~/server/services/Files/process');
 const validateAuthor = require('~/server/middleware/assistants/validateAuthor');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { deleteAssistantActions } = require('~/server/services/ActionService');
 const { updateAssistantDoc, getAssistants } = require('~/models/Assistant');
-const { uploadImageBuffer } = require('~/server/services/Files/process');
 const { getOpenAIClient, fetchAssistants } = require('./helpers');
 const { deleteFileByFilter } = require('~/models/File');
 const { logger } = require('~/config');
@ -235,7 +236,7 @@ const getAssistantDocuments = async (req, res) => {

 /**
 * Uploads and updates an avatar for a specific assistant.
- * @route POST /avatar/:assistant_id
+ * @route POST /:assistant_id/avatar
 * @param {object} req - Express Request
 * @param {object} req.params - Request params
 * @param {string} req.params.assistant_id - The ID of the assistant.
@ -245,6 +246,7 @@ const getAssistantDocuments = async (req, res) => {
 */
 const uploadAssistantAvatar = async (req, res) => {
  try {
+    filterFile({ req, file: req.file, image: true, isAvatar: true });
    const { assistant_id } = req.params;
    if (!assistant_id) {
      return res.status(400).json({ message: 'Assistant ID is required' });
@ -253,12 +255,11 @@ const uploadAssistantAvatar = async (req, res) => {
    const { openai } = await getOpenAIClient({ req, res });
    await validateAuthor({ req, openai });

+    const buffer = await fs.readFile(req.file.path);
    const image = await uploadImageBuffer({
      req,
      context: FileContext.avatar,
-      metadata: {
-        buffer: req.file.buffer,
-      },
+      metadata: { buffer },
    });

    let _metadata;
@ -269,7 +270,7 @@ const uploadAssistantAvatar = async (req, res) => {
        _metadata = assistant.metadata;
      }
    } catch (error) {
-      logger.error('[/avatar/:assistant_id] Error fetching assistant', error);
+      logger.error('[/:assistant_id/avatar] Error fetching assistant', error);
      _metadata = {};
    }

@ -279,7 +280,7 @@ const uploadAssistantAvatar = async (req, res) => {
        await deleteFile(req, { filepath: _metadata.avatar });
        await deleteFileByFilter({ user: req.user.id, filepath: _metadata.avatar });
      } catch (error) {
-        logger.error('[/avatar/:assistant_id] Error deleting old avatar', error);
+        logger.error('[/:assistant_id/avatar] Error deleting old avatar', error);
      }
    }

@ -310,6 +311,13 @@ const uploadAssistantAvatar = async (req, res) => {
    const message = 'An error occurred while updating the Assistant Avatar';
    logger.error(message, error);
    res.status(500).json({ message });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/:agent_id/avatar] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/:agent_id/avatar] Temp. image upload file already deleted');
+    }
  }
 };

--- a/api/server/middleware/buildEndpointOption.js
+++ b/api/server/middleware/buildEndpointOption.js
@ -27,7 +27,12 @@ const buildFunction = {

 async function buildEndpointOption(req, res, next) {
  const { endpoint, endpointType } = req.body;
-  let parsedBody = parseCompactConvo({ endpoint, endpointType, conversation: req.body });
+  let parsedBody;
+  try {
+    parsedBody = parseCompactConvo({ endpoint, endpointType, conversation: req.body });
+  } catch (error) {
+    return handleError(res, { text: 'Error parsing conversation' });
+  }

  if (req.app.locals.modelSpecs?.list && req.app.locals.modelSpecs?.enforce) {
    /** @type {{ list: TModelSpec[] }}*/
@ -56,11 +61,15 @@ async function buildEndpointOption(req, res, next) {
      });
    }

+    try {
      parsedBody = parseCompactConvo({
        endpoint,
        endpointType,
        conversation: currentModelSpec.preset,
      });
+    } catch (error) {
+      return handleError(res, { text: 'Error parsing model spec' });
+    }
  }

  const endpointFn = buildFunction[endpointType ?? endpoint];
--- a/api/server/middleware/checkBan.js
+++ b/api/server/middleware/checkBan.js
@ -6,6 +6,7 @@ const keyvMongo = require('~/cache/keyvMongo');
 const denyRequest = require('./denyRequest');
 const { getLogStores } = require('~/cache');
 const { findUser } = require('~/models');
+const { logger } = require('~/config');

 const banCache = new Keyv({ store: keyvMongo, namespace: ViolationTypes.BAN, ttl: 0 });
 const message = 'Your account has been temporarily banned due to violations of our service.';
@ -45,6 +46,7 @@ const banResponse = async (req, res) => {
 * @returns {Promise<function|Object>} - Returns a Promise which when resolved calls next middleware if user or source IP is not banned. Otherwise calls `banResponse()` and sets ban details in `banCache`.
 */
 const checkBan = async (req, res, next = () => {}) => {
+  try {
    const { BAN_VIOLATIONS } = process.env ?? {};

    if (!isEnabled(BAN_VIOLATIONS)) {
@ -131,6 +133,9 @@ const checkBan = async (req, res, next = () => {}) => {

    req.banned = true;
    return await banResponse(req, res);
+  } catch (error) {
+    logger.error('Error in checkBan middleware:', error);
+  }
 };

 module.exports = checkBan;
--- a/api/server/routes/agents/index.js
+++ b/api/server/routes/agents/index.js
@ -9,7 +9,7 @@ const {
  // messageUserLimiter,
 } = require('~/server/middleware');

-const v1 = require('./v1');
+const { v1 } = require('./v1');
 const chat = require('./chat');

 router.use(requireJwtAuth);
--- a/api/server/routes/agents/v1.js
+++ b/api/server/routes/agents/v1.js
@ -1,4 +1,3 @@
-const multer = require('multer');
 const express = require('express');
 const { PermissionTypes, Permissions } = require('librechat-data-provider');
 const { requireJwtAuth, generateCheckAccess } = require('~/server/middleware');
@ -6,8 +5,8 @@ const v1 = require('~/server/controllers/agents/v1');
 const actions = require('./actions');
 const tools = require('./tools');

-const upload = multer();
 const router = express.Router();
+const avatar = express.Router();

 const checkAgentAccess = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
 const checkAgentCreate = generateCheckAccess(PermissionTypes.AGENTS, [
@ -81,12 +80,12 @@ router.get('/', checkAgentAccess, v1.getListAgents);

 /**
 * Uploads and updates an avatar for a specific agent.
- * @route POST /avatar/:agent_id
+ * @route POST /agents/:agent_id/avatar
 * @param {string} req.params.agent_id - The ID of the agent.
 * @param {Express.Multer.File} req.file - The avatar image file.
 * @param {string} [req.body.metadata] - Optional metadata for the agent's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/avatar/:agent_id', checkAgentAccess, upload.single('file'), v1.uploadAgentAvatar);
+avatar.post('/:agent_id/avatar/', checkAgentAccess, v1.uploadAgentAvatar);

-module.exports = router;
+module.exports = { v1: router, avatar };
--- a/api/server/routes/assistants/index.js
+++ b/api/server/routes/assistants/index.js
@ -2,7 +2,7 @@ const express = require('express');
 const router = express.Router();
 const { uaParser, checkBan, requireJwtAuth } = require('~/server/middleware');

-const v1 = require('./v1');
+const { v1 } = require('./v1');
 const chatV1 = require('./chatV1');
 const v2 = require('./v2');
 const chatV2 = require('./chatV2');
--- a/api/server/routes/assistants/v1.js
+++ b/api/server/routes/assistants/v1.js
@ -1,12 +1,11 @@
-const multer = require('multer');
 const express = require('express');
 const controllers = require('~/server/controllers/assistants/v1');
 const documents = require('./documents');
 const actions = require('./actions');
 const tools = require('./tools');

-const upload = multer();
 const router = express.Router();
+const avatar = express.Router();

 /**
 * Assistant actions route.
@ -71,12 +70,12 @@ router.get('/', controllers.listAssistants);

 /**
 * Uploads and updates an avatar for a specific assistant.
- * @route POST /avatar/:assistant_id
+ * @route POST /assistants/:assistant_id/avatar/
 * @param {string} req.params.assistant_id - The ID of the assistant.
 * @param {Express.Multer.File} req.file - The avatar image file.
 * @param {string} [req.body.metadata] - Optional metadata for the assistant's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/avatar/:assistant_id', upload.single('file'), controllers.uploadAssistantAvatar);
+avatar.post('/:assistant_id/avatar/', controllers.uploadAssistantAvatar);

-module.exports = router;
+module.exports = { v1: router, avatar };
--- a/api/server/routes/assistants/v2.js
+++ b/api/server/routes/assistants/v2.js
@ -1,4 +1,3 @@
-const multer = require('multer');
 const express = require('express');
 const v1 = require('~/server/controllers/assistants/v1');
 const v2 = require('~/server/controllers/assistants/v2');
@ -6,7 +5,6 @@ const documents = require('./documents');
 const actions = require('./actions');
 const tools = require('./tools');

-const upload = multer();
 const router = express.Router();

 /**
@ -78,6 +76,6 @@ router.get('/', v1.listAssistants);
 * @param {string} [req.body.metadata] - Optional metadata for the assistant's avatar.
 * @returns {Object} 200 - success response - application/json
 */
-router.post('/avatar/:assistant_id', upload.single('file'), v1.uploadAssistantAvatar);
+router.post('/avatar/:assistant_id', v1.uploadAssistantAvatar);

 module.exports = router;
--- a/api/server/routes/files/avatar.js
+++ b/api/server/routes/files/avatar.js
@ -1,17 +1,18 @@
-const multer = require('multer');
+const fs = require('fs').promises;
 const express = require('express');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { resizeAvatar } = require('~/server/services/Files/images/avatar');
+const { filterFile } = require('~/server/services/Files/process');
 const { logger } = require('~/config');

-const upload = multer();
 const router = express.Router();

-router.post('/', upload.single('input'), async (req, res) => {
+router.post('/', async (req, res) => {
  try {
+    filterFile({ req, file: req.file, image: true, isAvatar: true });
    const userId = req.user.id;
    const { manual } = req.body;
-    const input = req.file.buffer;
+    const input = await fs.readFile(req.file.path);

    if (!userId) {
      throw new Error('User ID is undefined');
@ -33,6 +34,13 @@ router.post('/', upload.single('input'), async (req, res) => {
    const message = 'An error occurred while uploading the profile picture';
    logger.error(message, error);
    res.status(500).json({ message });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/files/images/avatar] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/files/images/avatar] Temp. image upload file already deleted');
+    }
  }
 });

--- a/api/server/routes/files/files.js
+++ b/api/server/routes/files/files.js
@ -231,7 +231,6 @@ router.post('/', async (req, res) => {
  } catch (error) {
    let message = 'Error processing file';
    logger.error('[/files] Error processing file:', error);
-    cleanup = false;

    if (error.message?.includes('file_ids')) {
      message += ': ' + error.message;
@ -240,6 +239,7 @@ router.post('/', async (req, res) => {
    // TODO: delete remote file if it exists
    try {
      await fs.unlink(file.path);
+      cleanup = false;
    } catch (error) {
      logger.error('[/files] Error deleting file:', error);
    }
--- a/api/server/routes/files/images.js
+++ b/api/server/routes/files/images.js
@ -30,6 +30,13 @@ router.post('/', async (req, res) => {
      logger.error('[/files/images] Error deleting file:', error);
    }
    res.status(500).json({ message: 'Error processing file' });
+  } finally {
+    try {
+      await fs.unlink(req.file.path);
+      logger.debug('[/files/images] Temp. image upload file deleted');
+    } catch (error) {
+      logger.debug('[/files/images] Temp. image upload file already deleted');
+    }
  }
 });

--- a/api/server/routes/files/index.js
+++ b/api/server/routes/files/index.js
@ -1,5 +1,7 @@
 const express = require('express');
 const { uaParser, checkBan, requireJwtAuth, createFileLimiters } = require('~/server/middleware');
+const { avatar: asstAvatarRouter } = require('~/server/routes/assistants/v1');
+const { avatar: agentAvatarRouter } = require('~/server/routes/agents/v1');
 const { createMulterInstance } = require('./multer');

 const files = require('./files');
@ -13,18 +15,25 @@ const initialize = async () => {
  router.use(checkBan);
  router.use(uaParser);

+  const upload = await createMulterInstance();
+  router.post('/speech/stt', upload.single('audio'));
+
  /* Important: speech route must be added before the upload limiters */
  router.use('/speech', speech);

-  const upload = await createMulterInstance();
  const { fileUploadIpLimiter, fileUploadUserLimiter } = createFileLimiters();
  router.post('*', fileUploadIpLimiter, fileUploadUserLimiter);
  router.post('/', upload.single('file'));
  router.post('/images', upload.single('file'));
+  router.post('/images/avatar', upload.single('file'));
+  router.post('/images/agents/:agent_id/avatar', upload.single('file'));
+  router.post('/images/assistants/:assistant_id/avatar', upload.single('file'));

  router.use('/', files);
  router.use('/images', images);
  router.use('/images/avatar', avatar);
+  router.use('/images/agents', agentAvatarRouter);
+  router.use('/images/assistants', asstAvatarRouter);
  return router;
 };

--- a/api/server/routes/files/multer.js
+++ b/api/server/routes/files/multer.js
@ -3,6 +3,7 @@ const path = require('path');
 const crypto = require('crypto');
 const multer = require('multer');
 const { fileConfig: defaultFileConfig, mergeFileConfig } = require('librechat-data-provider');
+const { sanitizeFilename } = require('~/server/utils/handleText');
 const { getCustomConfig } = require('~/server/services/Config');

 const storage = multer.diskStorage({
@ -16,7 +17,8 @@ const storage = multer.diskStorage({
  filename: function (req, file, cb) {
    req.file_id = crypto.randomUUID();
    file.originalname = decodeURIComponent(file.originalname);
-    cb(null, `${file.originalname}`);
+    const sanitizedFilename = sanitizeFilename(file.originalname);
+    cb(null, sanitizedFilename);
  },
 });

@ -45,6 +47,10 @@ const createFileFilter = (customFileConfig) => {
      return cb(new Error('No file provided'), false);
    }

+    if (req.originalUrl.endsWith('/speech/stt') && file.mimetype.startsWith('audio/')) {
+      return cb(null, true);
+    }
+
    const endpoint = req.body.endpoint;
    const supportedTypes =
      customFileConfig?.endpoints?.[endpoint]?.supportedMimeTypes ??
--- a/api/server/routes/files/speech/stt.js
+++ b/api/server/routes/files/speech/stt.js
@ -1,13 +1,8 @@
 const express = require('express');
-const router = express.Router();
-const multer = require('multer');
-const { requireJwtAuth } = require('~/server/middleware/');
 const { speechToText } = require('~/server/services/Files/Audio');

-const upload = multer();
+const router = express.Router();

-router.post('/', requireJwtAuth, upload.single('audio'), async (req, res) => {
-  await speechToText(req, res);
-});
+router.post('/', speechToText);

 module.exports = router;
--- a/api/server/routes/prompts.js
+++ b/api/server/routes/prompts.js
@ -214,7 +214,7 @@ const deletePromptController = async (req, res) => {
    const { promptId } = req.params;
    const { groupId } = req.query;
    const author = req.user.id;
-    const query = { promptId, groupId, author, role: req.user.role };
+    const query = { promptId, groupId, author };
    if (req.user.role === SystemRoles.ADMIN) {
      delete query.author;
    }
@ -226,11 +226,24 @@ const deletePromptController = async (req, res) => {
  }
 };

-router.delete('/:promptId', checkPromptCreate, deletePromptController);
+/**
+ * Delete a prompt group
+ * @param {ServerRequest} req
+ * @param {ServerResponse} res
+ * @returns {Promise<TDeletePromptGroupResponse>}
+ */
+const deletePromptGroupController = async (req, res) => {
+  try {
+    const { groupId: _id } = req.params;
+    const message = await deletePromptGroup({ _id, author: req.user.id, role: req.user.role });
+    res.send(message);
+  } catch (error) {
+    logger.error('Error deleting prompt group', error);
+    res.status(500).send({ message: 'Error deleting prompt group' });
+  }
+};

-router.delete('/groups/:groupId', checkPromptCreate, async (req, res) => {
-  const { groupId } = req.params;
-  res.status(200).send(await deletePromptGroup(groupId));
-});
+router.delete('/:promptId', checkPromptCreate, deletePromptController);
+router.delete('/groups/:groupId', checkPromptCreate, deletePromptGroupController);

 module.exports = router;
--- a/api/server/services/Files/Audio/STTService.js
+++ b/api/server/services/Files/Audio/STTService.js
@ -1,4 +1,5 @@
 const axios = require('axios');
+const fs = require('fs').promises;
 const FormData = require('form-data');
 const { Readable } = require('stream');
 const { extractEnvVariable, STTProviders } = require('librechat-data-provider');
@ -200,11 +201,11 @@ class STTService {
   * @returns {Promise<void>}
   */
  async processTextToSpeech(req, res) {
-    if (!req.file || !req.file.buffer) {
+    if (!req.file) {
      return res.status(400).json({ message: 'No audio file provided in the FormData' });
    }

-    const audioBuffer = req.file.buffer;
+    const audioBuffer = await fs.readFile(req.file.path);
    const audioFile = {
      originalname: req.file.originalname,
      mimetype: req.file.mimetype,
@ -218,6 +219,13 @@ class STTService {
    } catch (error) {
      logger.error('An error occurred while processing the audio:', error);
      res.sendStatus(500);
+    } finally {
+      try {
+        await fs.unlink(req.file.path);
+        logger.debug('[/speech/stt] Temp. audio upload file deleted');
+      } catch (error) {
+        logger.debug('[/speech/stt] Temp. audio upload file already deleted');
+      }
    }
  }
 }
--- a/api/server/services/Files/process.js
+++ b/api/server/services/Files/process.js
@ -716,14 +716,15 @@ async function retrieveAndProcessFile({
 * @param {number} [params.req.version]
 * @param {Express.Multer.File} params.file - The file uploaded to the server via multer.
 * @param {boolean} [params.image] - Whether the file expected is an image.
+ * @param {boolean} [params.isAvatar] - Whether the file expected is a user or entity avatar.
 * @returns {void}
 *
 * @throws {Error} If a file exception is caught (invalid file size or type, lack of metadata).
 */
-function filterFile({ req, file, image }) {
+function filterFile({ req, file, image, isAvatar }) {
  const { endpoint, file_id, width, height } = req.body;

-  if (!file_id) {
+  if (!file_id && !isAvatar) {
    throw new Error('No file_id provided');
  }

@ -732,20 +733,25 @@ function filterFile({ req, file, image }) {
  }

  /* parse to validate api call, throws error on fail */
+  if (!isAvatar) {
    isUUID.parse(file_id);
+  }

-  if (!endpoint) {
+  if (!endpoint && !isAvatar) {
    throw new Error('No endpoint provided');
  }

  const fileConfig = mergeFileConfig(req.app.locals.fileConfig);

-  const { fileSizeLimit, supportedMimeTypes } =
+  const { fileSizeLimit: sizeLimit, supportedMimeTypes } =
    fileConfig.endpoints[endpoint] ?? fileConfig.endpoints.default;
+  const fileSizeLimit = isAvatar === true ? fileConfig.avatarSizeLimit : sizeLimit;

  if (file.size > fileSizeLimit) {
    throw new Error(
-      `File size limit of ${fileSizeLimit / megabyte} MB exceeded for ${endpoint} endpoint`,
+      `File size limit of ${fileSizeLimit / megabyte} MB exceeded for ${
+        isAvatar ? 'avatar upload' : `${endpoint} endpoint`
+      }`,
    );
  }

@ -755,7 +761,7 @@ function filterFile({ req, file, image }) {
    throw new Error('Unsupported file type');
  }

-  if (!image) {
+  if (!image || isAvatar === true) {
    return;
  }

--- a/api/server/utils/handleText.js
+++ b/api/server/utils/handleText.js
@ -1,3 +1,5 @@
+const path = require('path');
+const crypto = require('crypto');
 const {
  Capabilities,
  EModelEndpoint,
@ -222,6 +224,38 @@ function normalizeEndpointName(name = '') {
  return name.toLowerCase() === Providers.OLLAMA ? Providers.OLLAMA : name;
 }

+/**
+ * Sanitize a filename by removing any directory components, replacing non-alphanumeric characters
+ * @param {string} inputName
+ * @returns {string}
+ */
+function sanitizeFilename(inputName) {
+  // Remove any directory components
+  let name = path.basename(inputName);
+
+  // Replace any non-alphanumeric characters except for '.' and '-'
+  name = name.replace(/[^a-zA-Z0-9.-]/g, '_');
+
+  // Ensure the name doesn't start with a dot (hidden file in Unix-like systems)
+  if (name.startsWith('.') || name === '') {
+    name = '_' + name;
+  }
+
+  // Limit the length of the filename
+  const MAX_LENGTH = 255;
+  if (name.length > MAX_LENGTH) {
+    const ext = path.extname(name);
+    const nameWithoutExt = path.basename(name, ext);
+    name =
+      nameWithoutExt.slice(0, MAX_LENGTH - ext.length - 7) +
+      '-' +
+      crypto.randomBytes(3).toString('hex') +
+      ext;
+  }
+
+  return name;
+}
+
 module.exports = {
  isEnabled,
  handleText,
@ -231,5 +265,6 @@ module.exports = {
  generateConfig,
  addSpaceIfNeeded,
  createOnProgress,
+  sanitizeFilename,
  normalizeEndpointName,
 };
--- a/api/server/utils/handleText.spec.js
+++ b/api/server/utils/handleText.spec.js
@ -1,4 +1,4 @@
-const { isEnabled } = require('./handleText');
+const { isEnabled, sanitizeFilename } = require('./handleText');

 describe('isEnabled', () => {
  test('should return true when input is "true"', () => {
@ -49,3 +49,51 @@ describe('isEnabled', () => {
    expect(isEnabled([])).toBe(false);
  });
 });
+
+jest.mock('crypto', () => ({
+  randomBytes: jest.fn().mockReturnValue(Buffer.from('abc123', 'hex')),
+}));
+
+describe('sanitizeFilename', () => {
+  test('removes directory components (1/2)', () => {
+    expect(sanitizeFilename('/path/to/file.txt')).toBe('file.txt');
+  });
+
+  test('removes directory components (2/2)', () => {
+    expect(sanitizeFilename('../../../../file.txt')).toBe('file.txt');
+  });
+
+  test('replaces non-alphanumeric characters', () => {
+    expect(sanitizeFilename('file name@#$.txt')).toBe('file_name___.txt');
+  });
+
+  test('preserves dots and hyphens', () => {
+    expect(sanitizeFilename('file-name.with.dots.txt')).toBe('file-name.with.dots.txt');
+  });
+
+  test('prepends underscore to filenames starting with a dot', () => {
+    expect(sanitizeFilename('.hiddenfile')).toBe('_.hiddenfile');
+  });
+
+  test('truncates long filenames', () => {
+    const longName = 'a'.repeat(300) + '.txt';
+    const result = sanitizeFilename(longName);
+    expect(result.length).toBe(255);
+    expect(result).toMatch(/^a+-abc123\.txt$/);
+  });
+
+  test('handles filenames with no extension', () => {
+    const longName = 'a'.repeat(300);
+    const result = sanitizeFilename(longName);
+    expect(result.length).toBe(255);
+    expect(result).toMatch(/^a+-abc123$/);
+  });
+
+  test('handles empty input', () => {
+    expect(sanitizeFilename('')).toBe('_');
+  });
+
+  test('handles input with only special characters', () => {
+    expect(sanitizeFilename('@#$%^&*')).toBe('_______');
+  });
+});
--- a/client/src/components/Chat/Messages/Content/Container.tsx
+++ b/client/src/components/Chat/Messages/Content/Container.tsx
@ -3,7 +3,7 @@ import Files from './Files';

 const Container = ({ children, message }: { children: React.ReactNode; message?: TMessage }) => (
  <div
-    className="text-message flex min-h-[20px] flex-col items-start gap-3 overflow-x-auto [.text-message+&]:mt-5"
+    className="text-message flex min-h-[20px] flex-col items-start gap-3 overflow-visible [.text-message+&]:mt-5"
    dir="auto"
  >
    {message?.isCreatedByUser === true && <Files message={message} />}
--- a/client/src/components/Chat/Messages/Content/MessageContent.tsx
+++ b/client/src/components/Chat/Messages/Content/MessageContent.tsx
@ -27,7 +27,7 @@ export const ErrorMessage = ({
    return (
      <Suspense
        fallback={
-          <div className="text-message mb-[0.625rem] flex min-h-[20px] flex-col items-start gap-3 overflow-x-auto">
+          <div className="text-message mb-[0.625rem] flex min-h-[20px] flex-col items-start gap-3 overflow-visible">
            <div className="markdown prose dark:prose-invert light w-full break-words dark:text-gray-100">
              <div className="absolute">
                <p className="submitting relative">
--- a/client/src/components/Nav/SettingsTabs/Account/Avatar.tsx
+++ b/client/src/components/Nav/SettingsTabs/Account/Avatar.tsx
@ -1,7 +1,7 @@
 import React, { useState, useRef, useCallback } from 'react';
-import { FileImage, RotateCw, Upload } from 'lucide-react';
 import { useSetRecoilState } from 'recoil';
 import AvatarEditor from 'react-avatar-editor';
+import { FileImage, RotateCw, Upload } from 'lucide-react';
 import { fileConfig as defaultFileConfig, mergeFileConfig } from 'librechat-data-provider';
 import type { TUser } from 'librechat-data-provider';
 import {
@ -20,16 +20,23 @@ import { cn, formatBytes } from '~/utils';
 import { useLocalize } from '~/hooks';
 import store from '~/store';

+interface AvatarEditorRef {
+  getImageScaledToCanvas: () => HTMLCanvasElement;
+  getImage: () => HTMLImageElement;
+}
+
 function Avatar() {
  const setUser = useSetRecoilState(store.user);
-  const [image, setImage] = useState<string | File | null>(null);
-  const [isDialogOpen, setDialogOpen] = useState<boolean>(false);
+
  const [scale, setScale] = useState<number>(1);
  const [rotation, setRotation] = useState<number>(0);
-  const editorRef = useRef<AvatarEditor | null>(null);
+  const editorRef = useRef<AvatarEditorRef | null>(null);
  const fileInputRef = useRef<HTMLInputElement>(null);
  const openButtonRef = useRef<HTMLButtonElement>(null);

+  const [image, setImage] = useState<string | File | null>(null);
+  const [isDialogOpen, setDialogOpen] = useState<boolean>(false);
+
  const { data: fileConfig = defaultFileConfig } = useGetFileConfig({
    select: (data) => mergeFileConfig(data),
  });
@ -55,12 +62,13 @@ function Avatar() {
  };

  const handleFile = (file: File | undefined) => {
-    if (fileConfig.avatarSizeLimit && file && file.size <= fileConfig.avatarSizeLimit) {
+    if (fileConfig.avatarSizeLimit != null && file && file.size <= fileConfig.avatarSizeLimit) {
      setImage(file);
      setScale(1);
      setRotation(0);
    } else {
-      const megabytes = fileConfig.avatarSizeLimit ? formatBytes(fileConfig.avatarSizeLimit) : 2;
+      const megabytes =
+        fileConfig.avatarSizeLimit != null ? formatBytes(fileConfig.avatarSizeLimit) : 2;
      showToast({
        message: localize('com_ui_upload_invalid_var', megabytes + ''),
        status: 'error',
@ -82,7 +90,7 @@ function Avatar() {
      canvas.toBlob((blob) => {
        if (blob) {
          const formData = new FormData();
-          formData.append('input', blob, 'avatar.png');
+          formData.append('file', blob, 'avatar.png');
          formData.append('manual', 'true');
          uploadAvatar(formData);
        }
@ -134,11 +142,11 @@ function Avatar() {
      <OGDialogContent className="w-11/12 max-w-sm" style={{ borderRadius: '12px' }}>
        <OGDialogHeader>
          <OGDialogTitle className="text-lg font-medium leading-6 text-text-primary">
-            {image ? localize('com_ui_preview') : localize('com_ui_upload_image')}
+            {image != null ? localize('com_ui_preview') : localize('com_ui_upload_image')}
          </OGDialogTitle>
        </OGDialogHeader>
        <div className="flex flex-col items-center justify-center">
-          {image ? (
+          {image != null ? (
            <>
              <div className="relative overflow-hidden rounded-full">
                <AvatarEditor
@ -155,7 +163,7 @@ function Avatar() {
              </div>
              <div className="mt-4 flex w-full flex-col items-center space-y-4">
                <div className="flex w-full items-center justify-center space-x-4">
-                  <span className="text-sm">Zoom:</span>
+                  <span className="text-sm">{localize('com_ui_zoom')}</span>
                  <Slider
                    value={[scale]}
                    min={1}
--- a/client/src/components/Prompts/Groups/DashGroupItem.tsx
+++ b/client/src/components/Prompts/Groups/DashGroupItem.tsx
@ -38,7 +38,7 @@ export default function DashGroupItem({
  const [nameInputField, setNameInputField] = useState(group.name);
  const isOwner = useMemo(() => user?.id === group.author, [user, group]);
  const groupIsGlobal = useMemo(
-    () => instanceProjectId && group.projectIds?.includes(instanceProjectId),
+    () => instanceProjectId != null && group.projectIds?.includes(instanceProjectId),
    [group, instanceProjectId],
  );

--- a/client/src/localization/languages/Eng.ts
+++ b/client/src/localization/languages/Eng.ts
@ -222,6 +222,7 @@ export default {
  com_ui_latest_footer: 'Every AI for Everyone.',
  com_ui_enter: 'Enter',
  com_ui_submit: 'Submit',
+  com_ui_zoom: 'Zoom',
  com_ui_none_selected: 'None selected',
  com_ui_upload_success: 'Successfully uploaded file',
  com_ui_upload_error: 'There was an error uploading your file',
--- a/client/src/style.css
+++ b/client/src/style.css
@ -2399,3 +2399,10 @@ button.scroll-convo {
  scale: 1;
  translate: 0;
 }
+
+/** Note: ensure KaTeX can spread across visible space */
+.message-content pre:has(> span.katex) {
+  overflow: visible !important;
+  height: auto !important;
+  max-height: none !important;
+}
--- a/package-lock.json
+++ b/package-lock.json
@ -36283,7 +36283,7 @@
    },
    "packages/data-provider": {
      "name": "librechat-data-provider",
-      "version": "0.7.54",
+      "version": "0.7.55",
      "license": "ISC",
      "dependencies": {
        "@types/js-yaml": "^4.0.9",
--- a/packages/data-provider/package.json
+++ b/packages/data-provider/package.json
@ -1,6 +1,6 @@
 {
  "name": "librechat-data-provider",
-  "version": "0.7.54",
+  "version": "0.7.55",
  "description": "data services for librechat apps",
  "main": "dist/index.js",
  "module": "dist/index.es.js",
--- a/packages/data-provider/src/api-endpoints.ts
+++ b/packages/data-provider/src/api-endpoints.ts
@ -34,9 +34,9 @@ export const abortRequest = (endpoint: string) => `/api/ask/${endpoint}/abort`;
 export const conversationsRoot = '/api/convos';

 export const conversations = (pageNumber: string, isArchived?: boolean, tags?: string[]) =>
-  `${conversationsRoot}?pageNumber=${pageNumber}${isArchived ? '&isArchived=true' : ''}${tags
-    ?.map((tag) => `&tags=${tag}`)
-    .join('')}`;
+  `${conversationsRoot}?pageNumber=${pageNumber}${
+    isArchived === true ? '&isArchived=true' : ''
+  }${tags?.map((tag) => `&tags=${tag}`).join('')}`;

 export const conversationById = (id: string) => `${conversationsRoot}/${id}`;

@ -77,7 +77,8 @@ export const loginFacebook = () => '/api/auth/facebook';

 export const loginGoogle = () => '/api/auth/google';

-export const refreshToken = (retry?: boolean) => `/api/auth/refresh${retry ? '?retry=true' : ''}`;
+export const refreshToken = (retry?: boolean) =>
+  `/api/auth/refresh${retry === true ? '?retry=true' : ''}`;

 export const requestPasswordReset = () => '/api/auth/requestPasswordReset';

@ -94,19 +95,21 @@ export const config = () => '/api/config';
 export const prompts = () => '/api/prompts';

 export const assistants = ({
-  path,
+  path = '',
  options,
  version,
  endpoint,
+  isAvatar,
 }: {
  path?: string;
  options?: object;
  endpoint?: AssistantsEndpoint;
  version: number | string;
+  isAvatar?: boolean;
 }) => {
-  let url = `/api/assistants/v${version}`;
+  let url = isAvatar === true ? `${images()}/assistants` : `/api/assistants/v${version}`;

-  if (path) {
+  if (path && path !== '') {
    url += `/${path}`;
  }

--- a/packages/data-provider/src/data-service.ts
+++ b/packages/data-provider/src/data-service.ts
@ -471,7 +471,8 @@ export const uploadAvatar = (data: FormData): Promise<f.AvatarUploadResponse> =>
 export const uploadAssistantAvatar = (data: m.AssistantAvatarVariables): Promise<a.Assistant> => {
  return request.postMultiPart(
    endpoints.assistants({
-      path: `avatar/${data.assistant_id}`,
+      isAvatar: true,
+      path: `${data.assistant_id}/avatar`,
      options: { model: data.model, endpoint: data.endpoint },
      version: data.version,
    }),
@ -481,9 +482,7 @@ export const uploadAssistantAvatar = (data: m.AssistantAvatarVariables): Promise

 export const uploadAgentAvatar = (data: m.AgentAvatarVariables): Promise<a.Agent> => {
  return request.postMultiPart(
-    endpoints.agents({
-      path: `avatar/${data.agent_id}`,
-    }),
+    `${endpoints.images()}/agents/${data.agent_id}/avatar`,
    data.formData,
  );
 };
--- a/packages/data-provider/src/types.ts
+++ b/packages/data-provider/src/types.ts
@ -491,9 +491,7 @@ export type TUpdatePromptLabelsResponse = {
  message: string;
 };

-export type TDeletePromptGroupResponse = {
-  promptGroup: string;
-};
+export type TDeletePromptGroupResponse = TUpdatePromptLabelsResponse;

 export type TDeletePromptGroupRequest = {
  id: string;