fix(files): fix vulnerabilities in file uploads/deletes

[waleedlatif1]

Summary

• Path Traversal Vulnerability (Delete) - [BUG] Arbitrary File Deletion #959

• Added path sanitization to extractFilename() function that strips all ../ sequences to prevent directory traversal attacks while preserving legitimate file operations

• File Upload XSS Vulnerability - [BUG] Insecure File Upload #958

  • Implemented file extension allowlist that only permits safe file types and blocks dangerous files like HTML, SVG, and JavaScript
  • Added secure file serving with safe content-type overrides and Content-Disposition headers

Type of Change

• Other: Security

Testing

Added unit tests, manually tested in the file upload and delete with the file block.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sim	Ready	Preview	Comment	Aug 25, 2025 6:27pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Aug 25, 2025 6:27pm

[greptile-apps]

Greptile Summary

This PR addresses two critical security vulnerabilities in the file upload and deletion system:

Path Traversal Vulnerability (Issue #959): The extractFilename() function in apps/sim/app/api/files/utils.ts has been hardened with comprehensive path sanitization that strips all ../ sequences using multiple regex patterns. This prevents attackers from using directory traversal attacks to delete arbitrary system files while preserving legitimate cloud storage paths like s3/ and blob/.

File Upload XSS Vulnerability (Issue #958): A multi-layered security approach has been implemented:

• File extension allowlist in the upload route that only permits safe file types (PDF, DOC, TXT, images, etc.) and blocks dangerous files like HTML, SVG, and JavaScript
• Enhanced file serving security with content-type overrides that force dangerous file types to be served as attachments with application/octet-stream
• Security headers including Content-Security-Policy and X-Content-Type-Options to prevent script execution
• Authentication requirements for file uploads

The changes also remove SVG files from the UI file picker (user-input.tsx) to prevent users from easily selecting potentially dangerous files. Comprehensive test coverage has been added across utils.test.ts and route.test.ts to validate all security measures and ensure backward compatibility with existing cloud storage functionality.

Confidence score: 4/5

• This PR addresses critical security vulnerabilities with well-implemented defense-in-depth measures
• Score reflects the complexity of security changes that require careful validation in production environments
• Pay close attention to apps/sim/app/api/files/utils.ts and apps/sim/app/api/files/upload/route.ts for core security implementations

_{5 files reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}