🔐 fix: Enhance Message & Image Access Security (#3363)

* chore: slight refactor * fix: prevent message updates unless explicitly owned * refactor: rethrow errors, update deleteMessagesSince (not used), add basic tests * fix: Add path normalization and validation to image request middleware * fix: image validation path security
2025-12-22 11:20:15 +01:00 · 2024-07-17 09:51:03 -04:00 · 2024-07-17 09:51:03 -04:00 · d5d188eebf
commit d5d188eebf
parent 0a1d38e318
17 changed files with 595 additions and 229 deletions
--- a/api/server/controllers/AskController.js
+++ b/api/server/controllers/AskController.js
@ -55,7 +55,7 @@ const AskController = async (req, res, next, initializeClient, addTitle) => {
    const { onProgress: progressCallback, getPartialText } = createOnProgress({
      onProgress: throttle(
        ({ text: partialText }) => {
-          saveMessage({
+          saveMessage(req, {
            messageId: responseMessageId,
            sender,
            conversationId,
@ -144,11 +144,11 @@ const AskController = async (req, res, next, initializeClient, addTitle) => {
      });
      res.end();

-      await saveMessage({ ...response, user });
+      await saveMessage(req, { ...response, user });
    }

    if (!client.skipSaveUserMessage) {
-      await saveMessage(userMessage);
+      await saveMessage(req, userMessage);
    }

    if (addTitle && parentMessageId === Constants.NO_PARENT && newConvo) {
--- a/api/server/controllers/EditController.js
+++ b/api/server/controllers/EditController.js
@ -56,7 +56,7 @@ const EditController = async (req, res, next, initializeClient) => {
    generation,
    onProgress: throttle(
      ({ text: partialText }) => {
-        saveMessage({
+        saveMessage(req, {
          messageId: responseMessageId,
          sender,
          conversationId,
@ -141,7 +141,7 @@ const EditController = async (req, res, next, initializeClient) => {
      });
      res.end();

-      await saveMessage({ ...response, user });
+      await saveMessage(req, { ...response, user });
    }
  } catch (error) {
    const partialText = getPartialText();
--- a/api/server/controllers/assistants/chatV1.js
+++ b/api/server/controllers/assistants/chatV1.js
@ -120,21 +120,22 @@ const chatV1 = async (req, res) => {
          ? ' If using Azure OpenAI, files are only available in the region of the assistant\'s model at the time of upload.'
          : ''
      }`;
-      return sendResponse(res, messageData, errorMessage);
+      return sendResponse(req, res, messageData, errorMessage);
    } else if (error?.message?.includes('string too long')) {
      return sendResponse(
+        req,
        res,
        messageData,
        'Message too long. The Assistants API has a limit of 32,768 characters per message. Please shorten it and try again.',
      );
    } else if (error?.message?.includes(ViolationTypes.TOKEN_BALANCE)) {
-      return sendResponse(res, messageData, error.message);
+      return sendResponse(req, res, messageData, error.message);
    } else {
      logger.error('[/assistants/chat/]', error);
    }

    if (!openai || !thread_id || !run_id) {
-      return sendResponse(res, messageData, defaultErrorMessage);
+      return sendResponse(req, res, messageData, defaultErrorMessage);
    }

    await sleep(2000);
@ -221,10 +222,10 @@ const chatV1 = async (req, res) => {
      };
    } catch (error) {
      logger.error('[/assistants/chat/] Error finalizing error process', error);
-      return sendResponse(res, messageData, 'The Assistant run failed');
+      return sendResponse(req, res, messageData, 'The Assistant run failed');
    }

-    return sendResponse(res, finalEvent);
+    return sendResponse(req, res, finalEvent);
  };

  try {
--- a/api/server/controllers/assistants/chatV2.js
+++ b/api/server/controllers/assistants/chatV2.js
@ -117,21 +117,22 @@ const chatV2 = async (req, res) => {
          ? ' If using Azure OpenAI, files are only available in the region of the assistant\'s model at the time of upload.'
          : ''
      }`;
-      return sendResponse(res, messageData, errorMessage);
+      return sendResponse(req, res, messageData, errorMessage);
    } else if (error?.message?.includes('string too long')) {
      return sendResponse(
+        req,
        res,
        messageData,
        'Message too long. The Assistants API has a limit of 32,768 characters per message. Please shorten it and try again.',
      );
    } else if (error?.message?.includes(ViolationTypes.TOKEN_BALANCE)) {
-      return sendResponse(res, messageData, error.message);
+      return sendResponse(req, res, messageData, error.message);
    } else {
      logger.error('[/assistants/chat/]', error);
    }

    if (!openai || !thread_id || !run_id) {
-      return sendResponse(res, messageData, defaultErrorMessage);
+      return sendResponse(req, res, messageData, defaultErrorMessage);
    }

    await sleep(2000);
@ -218,10 +219,10 @@ const chatV2 = async (req, res) => {
      };
    } catch (error) {
      logger.error('[/assistants/chat/] Error finalizing error process', error);
-      return sendResponse(res, messageData, 'The Assistant run failed');
+      return sendResponse(req, res, messageData, 'The Assistant run failed');
    }

-    return sendResponse(res, finalEvent);
+    return sendResponse(req, res, finalEvent);
  };

  try {