fix(security): extract shared file-access guard; merge workspace/mothership branch

waleedlatif1 · waleedlatif1 · commit b7d57afa3a79 · 2026-05-12T15:46:48.000-07:00
diff --git a/apps/sim/app/api/files/authorization.ts b/apps/sim/app/api/files/authorization.ts
@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { document, knowledgeBase, workspaceFile } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull, like, or } from 'drizzle-orm'
+import { NextResponse } from 'next/server'
 import { getFileMetadata } from '@/lib/uploads'
 import type { StorageContext } from '@/lib/uploads/config'
 import { BLOB_CHAT_CONFIG, S3_CHAT_CONFIG } from '@/lib/uploads/config'
@@ -587,6 +588,36 @@ async function authorizeFileAccess(
   }
 }
 
+/**
+ * Guard helper for tool routes that download user files from storage.
+ *
+ * Validates that `key` is a non-empty string, that `userId` is present, and
+ * that the authenticated user owns the file. Returns a 404 `NextResponse` on
+ * any failure so callers can `return` it immediately; returns `null` when
+ * access is granted.
+ */
+export async function assertToolFileAccess(
+  key: unknown,
+  userId: string | undefined,
+  requestId: string,
+  routeLogger: ReturnType<typeof createLogger>
+): Promise<NextResponse | null> {
+  if (typeof key !== 'string' || key.length === 0) {
+    routeLogger.warn(`[${requestId}] File access check rejected: missing key`)
+    return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+  }
+  if (!userId) {
+    routeLogger.warn(`[${requestId}] File access check requires userId but none available`)
+    return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+  }
+  const hasAccess = await verifyFileAccess(key, userId)
+  if (!hasAccess) {
+    routeLogger.warn(`[${requestId}] File access denied for user`, { userId, key })
+    return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+  }
+  return null
+}
+
 /**
  * Get chat storage configuration based on current storage provider
  */
diff --git a/apps/sim/app/api/files/multipart/route.ts b/apps/sim/app/api/files/multipart/route.ts
@@ -136,29 +136,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         const config = getStorageConfig(storageContext)
 
         let customKey: string | undefined
-        if (context === 'workspace') {
-          const { MAX_WORKSPACE_FILE_SIZE } = await import('@/lib/uploads/shared/types')
-          if (typeof fileSize === 'number' && fileSize > MAX_WORKSPACE_FILE_SIZE) {
-            return NextResponse.json(
-              { error: `File size exceeds maximum of ${MAX_WORKSPACE_FILE_SIZE} bytes` },
-              { status: 413 }
-            )
-          }
-
-          const { generateWorkspaceFileKey } = await import(
-            '@/lib/uploads/contexts/workspace/workspace-file-manager'
-          )
-          customKey = generateWorkspaceFileKey(workspaceId, fileName)
-
-          const { checkStorageQuota } = await import('@/lib/billing/storage')
-          const quotaCheck = await checkStorageQuota(userId, fileSize)
-          if (!quotaCheck.allowed) {
-            return NextResponse.json(
-              { error: quotaCheck.error || 'Storage limit exceeded' },
-              { status: 413 }
-            )
-          }
-        } else if (context === 'mothership') {
+        if (context === 'workspace' || context === 'mothership') {
           const { MAX_WORKSPACE_FILE_SIZE } = await import('@/lib/uploads/shared/types')
           if (typeof fileSize === 'number' && fileSize > MAX_WORKSPACE_FILE_SIZE) {
             return NextResponse.json(
diff --git a/apps/sim/app/api/tools/sftp/upload/route.ts b/apps/sim/app/api/tools/sftp/upload/route.ts
@@ -7,7 +7,7 @@ import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { assertToolFileAccess } from '@/app/api/files/authorization'
 import {
   createSftpConnection,
   getSftp,
@@ -96,22 +96,13 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
         for (const file of userFiles) {
           try {
-            if (typeof file.key !== 'string' || file.key.length === 0) {
-              logger.warn(`[${requestId}] File access check rejected: missing key`)
-              return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-            }
-            if (!authResult.userId) {
-              logger.warn(`[${requestId}] File access check requires userId but none available`)
-              return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-            }
-            const hasAccess = await verifyFileAccess(file.key, authResult.userId)
-            if (!hasAccess) {
-              logger.warn(`[${requestId}] File access denied for user`, {
-                userId: authResult.userId,
-                key: file.key,
-              })
-              return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-            }
+            const denied = await assertToolFileAccess(
+              file.key,
+              authResult.userId,
+              requestId,
+              logger
+            )
+            if (denied) return denied
             logger.info(
               `[${requestId}] Downloading file for upload: ${file.name} (${file.size} bytes)`
             )
diff --git a/apps/sim/app/api/tools/sharepoint/upload/route.ts b/apps/sim/app/api/tools/sharepoint/upload/route.ts
@@ -9,7 +9,7 @@ import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { assertToolFileAccess } from '@/app/api/files/authorization'
 import type { MicrosoftGraphDriveItem } from '@/tools/onedrive/types'
 import type { SharepointSkippedFile, SharepointUploadError } from '@/tools/sharepoint/types'
 
@@ -83,22 +83,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     const errors: SharepointUploadError[] = []
 
     for (const userFile of userFiles) {
-      if (typeof userFile.key !== 'string' || userFile.key.length === 0) {
-        logger.warn(`[${requestId}] File access check rejected: missing key`)
-        return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-      }
-      if (!authResult.userId) {
-        logger.warn(`[${requestId}] File access check requires userId but none available`)
-        return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-      }
-      const hasAccess = await verifyFileAccess(userFile.key, authResult.userId)
-      if (!hasAccess) {
-        logger.warn(`[${requestId}] File access denied for user`, {
-          userId: authResult.userId,
-          key: userFile.key,
-        })
-        return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-      }
+      const denied = await assertToolFileAccess(userFile.key, authResult.userId, requestId, logger)
+      if (denied) return denied
       logger.info(`[${requestId}] Uploading file: ${userFile.name}`)
 
       const buffer = await downloadFileFromStorage(userFile, requestId, logger)
diff --git a/apps/sim/app/api/tools/smtp/send/route.ts b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -10,7 +10,7 @@ import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { assertToolFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
 
@@ -122,22 +122,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
         const attachmentBuffers: { filename: string; content: Buffer; contentType: string }[] = []
         for (const file of attachments) {
-          if (typeof file.key !== 'string' || file.key.length === 0) {
-            logger.warn(`[${requestId}] File access check rejected: missing key`)
-            return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-          }
-          if (!authResult.userId) {
-            logger.warn(`[${requestId}] File access check requires userId but none available`)
-            return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-          }
-          const hasAccess = await verifyFileAccess(file.key, authResult.userId)
-          if (!hasAccess) {
-            logger.warn(`[${requestId}] File access denied for user`, {
-              userId: authResult.userId,
-              key: file.key,
-            })
-            return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-          }
+          const denied = await assertToolFileAccess(file.key, authResult.userId, requestId, logger)
+          if (denied) return denied
           try {
             logger.info(`[${requestId}] Downloading attachment: ${file.name} (${file.size} bytes)`)
             const buffer = await downloadFileFromStorage(file, requestId, logger)
