@lobehub/lobehub 2.0.0-next.191 → 2.0.0-next.193

package/src/server/routers/lambda/__tests__/file.test.ts

@@ -19,6 +19,7 @@ function createCallerWithCtx(partialCtx: any = {}) {
 
   const fileService = {
     getFullFileUrl: vi.fn().mockResolvedValue('full-url'),
+    getFileMetadata: vi.fn().mockResolvedValue({ contentLength: 2048, contentType: 'text/plain' }),
     deleteFile: vi.fn().mockResolvedValue(undefined),
     deleteFiles: vi.fn().mockResolvedValue(undefined),
   };
@@ -114,12 +115,14 @@ vi.mock('@/database/models/file', () => ({
 }));
 
 const mockFileServiceGetFullFileUrl = vi.fn();
+const mockFileServiceGetFileMetadata = vi.fn();
 
 vi.mock('@/server/services/file', () => ({
   FileService: vi.fn(() => ({
     deleteFile: vi.fn(),
     deleteFiles: vi.fn(),
     getFullFileUrl: mockFileServiceGetFullFileUrl,
+    getFileMetadata: mockFileServiceGetFileMetadata,
   })),
 }));
 
@@ -160,6 +163,12 @@ describe('fileRouter', () => {
       embeddingTaskId: null,
     };
 
+    // Set default mock for getFileMetadata (security fix for GHSA-wrrr-8jcv-wjf5)
+    mockFileServiceGetFileMetadata.mockResolvedValue({
+      contentLength: 100,
+      contentType: 'text/plain',
+    });
+
     // Use actual context with default mocks
     ({ ctx, caller } = createCallerWithCtx());
   });
@@ -204,6 +213,53 @@ describe('fileRouter', () => {
         url: 'https://lobehub.com/f/new-file-id',
       });
     });
+
+    it('should use actual file size from S3 instead of client-provided size (security fix)', async () => {
+      // Setup: S3 returns actual size of 5000 bytes
+      mockFileServiceGetFileMetadata.mockResolvedValue({
+        contentLength: 5000,
+        contentType: 'text/plain',
+      });
+      mockFileModelCheckHash.mockResolvedValue({ isExist: false });
+      mockFileModelCreate.mockResolvedValue({ id: 'new-file-id' });
+
+      // Client claims file is only 100 bytes (attempting quota bypass)
+      await caller.createFile({
+        hash: 'test-hash',
+        fileType: 'text',
+        name: 'test.txt',
+        size: 100, // Client-provided fake size
+        url: 'files/test.txt',
+        metadata: {},
+      });
+
+      // Verify getFileMetadata was called to get actual size
+      expect(mockFileServiceGetFileMetadata).toHaveBeenCalledWith('files/test.txt');
+
+      // Verify create was called with actual size from S3, not client-provided size
+      expect(mockFileModelCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          size: 5000, // Actual size from S3, not 100
+        }),
+        true,
+      );
+    });
+
+    it('should handle getFileMetadata errors', async () => {
+      mockFileModelCheckHash.mockResolvedValue({ isExist: false });
+      mockFileServiceGetFileMetadata.mockRejectedValue(new Error('File not found in S3'));
+
+      await expect(
+        caller.createFile({
+          hash: 'test-hash',
+          fileType: 'text',
+          name: 'test.txt',
+          size: 100,
+          url: 'files/non-existent.txt',
+          metadata: {},
+        }),
+      ).rejects.toThrow('File not found in S3');
+    });
   });
 
   describe('findById', () => {

package/src/server/routers/lambda/file.ts

@@ -64,6 +64,8 @@ export const fileRouter = router({
         }
       }
 
+      const { contentLength: actualSize } = await ctx.fileService.getFileMetadata(input.url);
+
       const { id } = await ctx.fileModel.create(
         {
           fileHash: input.hash,
@@ -72,7 +74,7 @@ export const fileRouter = router({
           metadata: input.metadata,
           name: input.name,
           parentId: resolvedParentId,
-          size: input.size,
+          size: actualSize,
           url: input.url,
         },
         // if the file is not exist in global file, create a new one

package/src/server/services/file/impls/s3.test.ts

@@ -24,6 +24,7 @@ vi.mock('@/server/modules/S3', () => ({
       .mockResolvedValue('https://presigned.example.com/test.jpg'),
     getFileContent: vi.fn().mockResolvedValue('file content'),
     getFileByteArray: vi.fn().mockResolvedValue(new Uint8Array([1, 2, 3])),
+    getFileMetadata: vi.fn().mockResolvedValue({ contentLength: 1024, contentType: 'image/png' }),
     deleteFile: vi.fn().mockResolvedValue({}),
     deleteFiles: vi.fn().mockResolvedValue({}),
     createPreSignedUrl: vi.fn().mockResolvedValue('https://upload.example.com/test.jpg'),
@@ -152,6 +153,24 @@ describe('S3StaticFileImpl', () => {
     });
   });
 
+  describe('getFileMetadata', () => {
+    it('should call S3 getFileMetadata and return metadata', async () => {
+      const result = await fileService.getFileMetadata('test.png');
+
+      expect(fileService['s3'].getFileMetadata).toHaveBeenCalledWith('test.png');
+      expect(result).toEqual({ contentLength: 1024, contentType: 'image/png' });
+    });
+
+    it('should handle S3 errors', async () => {
+      const error = new Error('File not found');
+      fileService['s3'].getFileMetadata = vi.fn().mockRejectedValue(error);
+
+      await expect(fileService.getFileMetadata('non-existent.txt')).rejects.toThrow(
+        'File not found',
+      );
+    });
+  });
+
   describe('uploadContent', () => {
     it('应该调用S3的uploadContent方法', async () => {
       await fileService.uploadContent('test.jpg', 'content');

package/src/server/services/file/impls/s3.ts

@@ -36,6 +36,10 @@ export class S3StaticFileImpl implements FileServiceImpl {
     return this.s3.createPreSignedUrl(key);
   }
 
+  async getFileMetadata(key: string): Promise<{ contentLength: number; contentType?: string }> {
+    return this.s3.getFileMetadata(key);
+  }
+
   async createPreSignedUrlForPreview(key: string, expiresIn?: number): Promise<string> {
     return this.s3.createPreSignedUrlForPreview(key, expiresIn);
   }

package/src/server/services/file/impls/type.ts

@@ -32,6 +32,12 @@ export interface FileServiceImpl {
    */
   getFileContent(key: string): Promise<string>;
 
+  /**
+   * Get file metadata from storage
+   * Used to verify actual file size instead of trusting client-provided values
+   */
+  getFileMetadata(key: string): Promise<{ contentLength: number; contentType?: string }>;
+
   /**
    * Get full file URL
    */

package/src/server/services/file/index.ts

@@ -61,6 +61,16 @@ export class FileService {
     return this.impl.createPreSignedUrl(key);
   }
 
+  /**
+   * Get file metadata from storage
+   * Used to verify actual file size instead of trusting client-provided values
+   */
+  public async getFileMetadata(
+    key: string,
+  ): Promise<{ contentLength: number; contentType?: string }> {
+    return this.impl.getFileMetadata(key);
+  }
+
   /**
    * Create pre-signed preview URL
    */

package/packages/database/src/client/pglite.ts

@@ -1,17 +0,0 @@
-import { PGliteWorker } from '@electric-sql/pglite/worker';
-
-import { InitMeta } from './type';
-
-export const initPgliteWorker = async (meta: InitMeta) => {
-  const worker = await PGliteWorker.create(
-    new Worker(new URL('pglite.worker.ts', import.meta.url)),
-    { meta },
-  );
-
-  // Listen for worker status changes
-  worker.onLeaderChange(() => {
-    console.log('Worker leader changed, isLeader:', worker?.isLeader);
-  });
-
-  return worker as PGliteWorker;
-};

package/packages/database/src/client/pglite.worker.ts

@@ -1,25 +0,0 @@
-import { worker } from '@electric-sql/pglite/worker';
-
-import { InitMeta } from './type';
-
-worker({
-  async init(options) {
-    const { wasmModule, fsBundle, vectorBundlePath, dbName } = options.meta as InitMeta;
-    const { PGlite } = await import('@electric-sql/pglite');
-
-    return new PGlite({
-      dataDir: `idb://${dbName}`,
-      extensions: {
-        vector: {
-          name: 'pgvector',
-          setup: async (pglite, options) => {
-            return { bundlePath: new URL(vectorBundlePath), options };
-          },
-        },
-      },
-      fsBundle,
-      relaxedDurability: true,
-      wasmModule,
-    });
-  },
-});