npm - @lobehub/lobehub - Versions diffs - 2.0.0-next.192 → 2.0.0-next.194 - Mend

@lobehub/lobehub 2.0.0-next.192 → 2.0.0-next.194

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.github/workflows/claude-translator.yml +1 -1
package/CHANGELOG.md +50 -0
package/changelog/v1.json +14 -0
package/locales/ar/models.json +39 -0
package/locales/bg-BG/models.json +40 -0
package/locales/de-DE/models.json +31 -0
package/locales/es-ES/models.json +47 -0
package/locales/fa-IR/models.json +1 -0
package/locales/fr-FR/models.json +1 -0
package/locales/it-IT/models.json +1 -0
package/locales/ja-JP/models.json +53 -0
package/locales/ko-KR/models.json +38 -0
package/locales/nl-NL/models.json +1 -0
package/locales/pl-PL/models.json +1 -0
package/locales/pt-BR/models.json +15 -0
package/locales/ru-RU/models.json +35 -0
package/locales/tr-TR/models.json +29 -0
package/locales/vi-VN/models.json +1 -0
package/locales/zh-CN/models.json +59 -0
package/locales/zh-TW/models.json +31 -0
package/package.json +1 -1
package/packages/database/src/models/__tests__/knowledgeBase.test.ts +30 -1
package/packages/database/src/models/knowledgeBase.ts +9 -7
package/src/server/modules/S3/index.test.ts +58 -0
package/src/server/modules/S3/index.ts +21 -0
package/src/server/routers/lambda/__tests__/file.test.ts +56 -0
package/src/server/routers/lambda/file.ts +3 -1
package/src/server/services/file/impls/s3.test.ts +19 -0
package/src/server/services/file/impls/s3.ts +4 -0
package/src/server/services/file/impls/type.ts +6 -0
package/src/server/services/file/index.ts +10 -0

package/src/server/routers/lambda/__tests__/file.test.ts CHANGED Viewed

@@ -19,6 +19,7 @@ function createCallerWithCtx(partialCtx: any = {}) {
   const fileService = {
     getFullFileUrl: vi.fn().mockResolvedValue('full-url'),
+    getFileMetadata: vi.fn().mockResolvedValue({ contentLength: 2048, contentType: 'text/plain' }),
     deleteFile: vi.fn().mockResolvedValue(undefined),
     deleteFiles: vi.fn().mockResolvedValue(undefined),
   };
@@ -114,12 +115,14 @@ vi.mock('@/database/models/file', () => ({
 }));
 const mockFileServiceGetFullFileUrl = vi.fn();
+const mockFileServiceGetFileMetadata = vi.fn();
 vi.mock('@/server/services/file', () => ({
   FileService: vi.fn(() => ({
     deleteFile: vi.fn(),
     deleteFiles: vi.fn(),
     getFullFileUrl: mockFileServiceGetFullFileUrl,
+    getFileMetadata: mockFileServiceGetFileMetadata,
   })),
 }));
@@ -160,6 +163,12 @@ describe('fileRouter', () => {
       embeddingTaskId: null,
     };
+    // Set default mock for getFileMetadata (security fix for GHSA-wrrr-8jcv-wjf5)
+    mockFileServiceGetFileMetadata.mockResolvedValue({
+      contentLength: 100,
+      contentType: 'text/plain',
+    });
     // Use actual context with default mocks
     ({ ctx, caller } = createCallerWithCtx());
   });
@@ -204,6 +213,53 @@ describe('fileRouter', () => {
         url: 'https://lobehub.com/f/new-file-id',
       });
     });
+    it('should use actual file size from S3 instead of client-provided size (security fix)', async () => {
+      // Setup: S3 returns actual size of 5000 bytes
+      mockFileServiceGetFileMetadata.mockResolvedValue({
+        contentLength: 5000,
+        contentType: 'text/plain',
+      });
+      mockFileModelCheckHash.mockResolvedValue({ isExist: false });
+      mockFileModelCreate.mockResolvedValue({ id: 'new-file-id' });
+      // Client claims file is only 100 bytes (attempting quota bypass)
+      await caller.createFile({
+        hash: 'test-hash',
+        fileType: 'text',
+        name: 'test.txt',
+        size: 100, // Client-provided fake size
+        url: 'files/test.txt',
+        metadata: {},
+      });
+      // Verify getFileMetadata was called to get actual size
+      expect(mockFileServiceGetFileMetadata).toHaveBeenCalledWith('files/test.txt');
+      // Verify create was called with actual size from S3, not client-provided size
+      expect(mockFileModelCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          size: 5000, // Actual size from S3, not 100
+        }),
+        true,
+      );
+    });
+    it('should handle getFileMetadata errors', async () => {
+      mockFileModelCheckHash.mockResolvedValue({ isExist: false });
+      mockFileServiceGetFileMetadata.mockRejectedValue(new Error('File not found in S3'));
+      await expect(
+        caller.createFile({
+          hash: 'test-hash',
+          fileType: 'text',
+          name: 'test.txt',
+          size: 100,
+          url: 'files/non-existent.txt',
+          metadata: {},
+        }),
+      ).rejects.toThrow('File not found in S3');
+    });
   });
   describe('findById', () => {

package/src/server/routers/lambda/file.ts CHANGED Viewed

@@ -64,6 +64,8 @@ export const fileRouter = router({
         }
       }
+      const { contentLength: actualSize } = await ctx.fileService.getFileMetadata(input.url);
       const { id } = await ctx.fileModel.create(
         {
           fileHash: input.hash,
@@ -72,7 +74,7 @@ export const fileRouter = router({
           metadata: input.metadata,
           name: input.name,
           parentId: resolvedParentId,
-          size: input.size,
+          size: actualSize,
           url: input.url,
         },
         // if the file is not exist in global file, create a new one

package/src/server/services/file/impls/s3.test.ts CHANGED Viewed

@@ -24,6 +24,7 @@ vi.mock('@/server/modules/S3', () => ({
       .mockResolvedValue('https://presigned.example.com/test.jpg'),
     getFileContent: vi.fn().mockResolvedValue('file content'),
     getFileByteArray: vi.fn().mockResolvedValue(new Uint8Array([1, 2, 3])),
+    getFileMetadata: vi.fn().mockResolvedValue({ contentLength: 1024, contentType: 'image/png' }),
     deleteFile: vi.fn().mockResolvedValue({}),
     deleteFiles: vi.fn().mockResolvedValue({}),
     createPreSignedUrl: vi.fn().mockResolvedValue('https://upload.example.com/test.jpg'),
@@ -152,6 +153,24 @@ describe('S3StaticFileImpl', () => {
     });
   });
+  describe('getFileMetadata', () => {
+    it('should call S3 getFileMetadata and return metadata', async () => {
+      const result = await fileService.getFileMetadata('test.png');
+      expect(fileService['s3'].getFileMetadata).toHaveBeenCalledWith('test.png');
+      expect(result).toEqual({ contentLength: 1024, contentType: 'image/png' });
+    });
+    it('should handle S3 errors', async () => {
+      const error = new Error('File not found');
+      fileService['s3'].getFileMetadata = vi.fn().mockRejectedValue(error);
+      await expect(fileService.getFileMetadata('non-existent.txt')).rejects.toThrow(
+        'File not found',
+      );
+    });
+  });
   describe('uploadContent', () => {
     it('应该调用S3的uploadContent方法', async () => {
       await fileService.uploadContent('test.jpg', 'content');

package/src/server/services/file/impls/s3.ts CHANGED Viewed

@@ -36,6 +36,10 @@ export class S3StaticFileImpl implements FileServiceImpl {
     return this.s3.createPreSignedUrl(key);
   }
+  async getFileMetadata(key: string): Promise<{ contentLength: number; contentType?: string }> {
+    return this.s3.getFileMetadata(key);
+  }
   async createPreSignedUrlForPreview(key: string, expiresIn?: number): Promise<string> {
     return this.s3.createPreSignedUrlForPreview(key, expiresIn);
   }

package/src/server/services/file/impls/type.ts CHANGED Viewed

@@ -32,6 +32,12 @@ export interface FileServiceImpl {
    */
   getFileContent(key: string): Promise<string>;
+  /**
+   * Get file metadata from storage
+   * Used to verify actual file size instead of trusting client-provided values
+   */
+  getFileMetadata(key: string): Promise<{ contentLength: number; contentType?: string }>;
   /**
    * Get full file URL
    */

package/src/server/services/file/index.ts CHANGED Viewed

@@ -61,6 +61,16 @@ export class FileService {
     return this.impl.createPreSignedUrl(key);
   }
+  /**
+   * Get file metadata from storage
+   * Used to verify actual file size instead of trusting client-provided values
+   */
+  public async getFileMetadata(
+    key: string,
+  ): Promise<{ contentLength: number; contentType?: string }> {
+    return this.impl.getFileMetadata(key);
+  }
   /**
    * Create pre-signed preview URL
    */