address comments

Author: icecrasher321

apps/sim/app/api/workspaces/[id]/files/download/route.ts

@@ -17,7 +17,10 @@ const logger = createLogger('WorkspaceFilesDownloadAPI')
 function safeZipPath(path: string): string {
   return path
     .split('/')
-    .map((segment) => segment.trim().replace(/[<>:"\\|?*\x00-\x1f]/g, '_'))
+    .map((segment) => {
+      const cleaned = segment.trim().replace(/[<>:"\\|?*\x00-\x1f]/g, '_')
+      return cleaned === '.' || cleaned === '..' ? '_' : cleaned
+    })
     .filter(Boolean)
     .join('/')
 }

apps/sim/app/workspace/[workspaceId]/files/files.tsx

@@ -689,7 +689,7 @@ export function Files() {
   )
 
   async function uploadFiles(filesToUpload: File[], targetFolderId = currentFolderId) {
-    if (!workspaceId || filesToUpload.length === 0) return
+    if (!workspaceId || filesToUpload.length === 0 || !canEdit) return
 
     const oversized: string[] = []
     const sizeFiltered = filesToUpload.filter((f) => {
@@ -904,14 +904,19 @@ export function Files() {
   }, [selectedFileIds, selectedFolderIds, currentFolderId])
 
   const handleMoveSelected = useCallback(async () => {
-    await moveItems.mutateAsync({
-      workspaceId,
-      fileIds: selectedFileIds,
-      folderIds: selectedFolderIds,
-      targetFolderId: moveTargetFolderId,
-    })
-    setSelectedRowIds(new Set())
-    setShowMoveModal(false)
+    try {
+      await moveItems.mutateAsync({
+        workspaceId,
+        fileIds: selectedFileIds,
+        folderIds: selectedFolderIds,
+        targetFolderId: moveTargetFolderId,
+      })
+      setSelectedRowIds(new Set())
+      setShowMoveModal(false)
+    } catch (error) {
+      logger.error('Failed to move selected items:', error)
+      toast.error(error instanceof Error ? error.message : 'Failed to move selected items')
+    }
   }, [workspaceId, selectedFileIds, selectedFolderIds, moveTargetFolderId, moveItems])
 
   const fileDetailBreadcrumbs = useMemo(
@@ -1075,10 +1080,21 @@ export function Files() {
 
   const handleContextMenuDownload = useCallback(() => {
     const item = contextMenuItemRef.current
-    if (!item || item.kind !== 'file') return
+    if (!item) return
+    const rowId = item.kind === 'file' ? fileRowId(item.file.id) : folderRowId(item.folder.id)
+    if (selectedRowIds.has(rowId) && selectedRowIds.size > 1) {
+      handleBulkDownload()
+      closeContextMenu()
+      return
+    }
+    if (item.kind === 'folder') {
+      window.location.href = `/api/workspaces/${workspaceId}/files/download?folderIds=${encodeURIComponent(item.folder.id)}`
+      closeContextMenu()
+      return
+    }
     handleDownload(item.file)
     closeContextMenu()
-  }, [handleDownload, closeContextMenu])
+  }, [selectedRowIds, handleBulkDownload, closeContextMenu, workspaceId, handleDownload])
 
   const handleContextMenuRename = useCallback(() => {
     const item = contextMenuItemRef.current
@@ -1091,14 +1107,20 @@ export function Files() {
   const handleContextMenuDelete = useCallback(() => {
     const item = contextMenuItemRef.current
     if (!item) return
+    const rowId = item.kind === 'file' ? fileRowId(item.file.id) : folderRowId(item.folder.id)
+    if (selectedRowIds.has(rowId) && selectedRowIds.size > 1) {
+      handleBulkDelete()
+      closeContextMenu()
+      return
+    }
     setDeleteTarget(
       item.kind === 'file'
         ? { fileIds: [item.file.id], folderIds: [], name: item.file.name }
         : { fileIds: [], folderIds: [item.folder.id], name: item.folder.name, isFolder: true }
     )
     setShowDeleteConfirm(true)
     closeContextMenu()
-  }, [closeContextMenu])
+  }, [selectedRowIds, handleBulkDelete, closeContextMenu])
 
   const handleContentContextMenu = useCallback(
     (e: React.MouseEvent) => {
@@ -1115,9 +1137,10 @@ export function Files() {
   )
 
   const handleListUploadFile = useCallback(() => {
+    if (!canEdit || uploading) return
     fileInputRef.current?.click()
     closeListContextMenu()
-  }, [closeListContextMenu])
+  }, [canEdit, uploading, closeListContextMenu])
 
   const prevFileIdRef = useRef(fileIdFromRoute)
   if (fileIdFromRoute !== prevFileIdRef.current) {
@@ -1279,8 +1302,9 @@ export function Files() {
   )
 
   const handleUploadClick = useCallback(() => {
+    if (!canEdit || uploading) return
     fileInputRef.current?.click()
-  }, [])
+  }, [canEdit, uploading])
 
   const searchConfig: SearchConfig = {
     value: inputValue,
@@ -1310,6 +1334,7 @@ export function Files() {
         label: uploadButtonLabel,
         icon: Upload,
         onClick: handleUploadClick,
+        disabled: uploading || !canEdit,
       },
       {
         label: 'New folder',
@@ -1372,14 +1397,20 @@ export function Files() {
     () => [
       { value: '__root__', label: 'Files' },
       ...folders
-        .filter((folder) => !selectedFolderIds.includes(folder.id))
+        .filter((folder) => {
+          if (selectedFolderIds.includes(folder.id)) return false
+          return selectedFolderIds.every(
+            (selectedFolderId) =>
+              !descendantFolderIdsByFolderId.get(selectedFolderId)?.has(folder.id)
+          )
+        })
         .map((folder) => ({
           value: folder.id,
           label: folder.path,
           icon: Folder,
         })),
     ],
-    [folders, selectedFolderIds]
+    [folders, selectedFolderIds, descendantFolderIdsByFolderId]
   )
 
   const sortConfig: SortConfig = useMemo(
@@ -1734,7 +1765,7 @@ export function Files() {
         type='file'
         className='hidden'
         onChange={handleFileChange}
-        disabled={uploading}
+        disabled={uploading || !canEdit}
         accept={ACCEPT_ATTR}
         multiple
       />

apps/sim/lib/api/contracts/workspace-file-folders.ts

@@ -34,13 +34,22 @@ const workspaceFileFoldersSuccessSchema = z.object({
   success: z.boolean(),
 })
 
+const workspaceFileFolderNameSchema = z
+  .string({ error: 'Name is required' })
+  .trim()
+  .min(1, 'Name is required')
+  .refine(
+    (name) => name !== '.' && name !== '..' && !name.includes('/') && !name.includes('\\'),
+    'Name cannot contain path separators or dot segments'
+  )
+
 export const createWorkspaceFileFolderBodySchema = z.object({
-  name: z.string({ error: 'Name is required' }).trim().min(1, 'Name is required'),
+  name: workspaceFileFolderNameSchema,
   parentId: z.string().nullable().optional(),
 })
 
 export const updateWorkspaceFileFolderBodySchema = z.object({
-  name: z.string().trim().min(1, 'Name is required').optional(),
+  name: workspaceFileFolderNameSchema.optional(),
   parentId: z.string().nullable().optional(),
   sortOrder: z.number().int().optional(),
 })

apps/sim/lib/api/contracts/workspace-files.ts

@@ -15,10 +15,17 @@ export const listWorkspaceFilesQuerySchema = z.object({
   scope: workspaceFileScopeSchema.default('active'),
 })
 
+const workspaceFileNameSchema = z
+  .string({ error: 'Name is required' })
+  .trim()
+  .min(1, 'Name is required')
+  .refine(
+    (name) => name !== '.' && name !== '..' && !name.includes('/') && !name.includes('\\'),
+    'Name cannot contain path separators or dot segments'
+  )
+
 export const renameWorkspaceFileBodySchema = z.object({
-  name: z
-    .string({ error: 'Name is required' })
-    .refine((name) => name.trim().length > 0, { message: 'Name is required' }),
+  name: workspaceFileNameSchema,
 })
 
 export const updateWorkspaceFileContentBodySchema = z.object({
@@ -166,7 +173,7 @@ export const workspaceFileCompiledCheckContract = defineRouteContract({
 })
 
 export const workspacePresignedUploadBodySchema = z.object({
-  fileName: z.string().min(1, 'fileName is required'),
+  fileName: workspaceFileNameSchema,
   contentType: z.string().min(1, 'contentType is required'),
   fileSize: z.number().nonnegative('fileSize must be a non-negative number'),
   folderId: z.string().nullable().optional(),
@@ -203,7 +210,7 @@ export const workspacePresignedUploadContract = defineRouteContract({
 
 export const registerWorkspaceFileBodySchema = z.object({
   key: z.string().min(1, 'key is required'),
-  name: z.string().min(1, 'name is required'),
+  name: workspaceFileNameSchema,
   contentType: z.string().min(1, 'contentType is required'),
   folderId: z.string().nullable().optional(),
 })

apps/sim/lib/copilot/tools/server/files/workspace-file.ts

@@ -97,8 +97,13 @@ export function inferContentType(fileName: string, explicitType?: string): strin
 export function validateFlatWorkspaceFileName(fileName: string): string | null {
   const trimmed = fileName.trim()
   if (!trimmed) return 'File name cannot be empty'
-  if (trimmed.split('/').some((segment) => !segment.trim()))
+  const segments = trimmed.split('/').map((segment) => segment.trim())
+  if (segments.some((segment) => !segment)) {
     return 'File path cannot contain empty segments'
+  }
+  if (segments.some((segment) => segment === '.' || segment === '..' || segment.includes('\\'))) {
+    return 'File path cannot contain dot segments or backslashes'
+  }
   return null
 }
 

apps/sim/lib/uploads/contexts/workspace/workspace-file-folder-manager.test.ts

@@ -3,7 +3,10 @@
  */
 
 import { describe, expect, it } from 'vitest'
-import { buildWorkspaceFileFolderPathMap } from './workspace-file-folder-manager'
+import {
+  buildWorkspaceFileFolderPathMap,
+  normalizeWorkspaceFileItemName,
+} from './workspace-file-folder-manager'
 
 describe('workspace file folder paths', () => {
   it('builds nested paths from parent relationships', () => {
@@ -17,4 +20,14 @@ describe('workspace file folder paths', () => {
     expect(paths.get('quarterly')).toBe('Reports/Quarterly')
     expect(paths.get('archive')).toBe('Archive')
   })
+
+  it('rejects names that would create ambiguous paths', () => {
+    expect(normalizeWorkspaceFileItemName('Reports', 'Folder')).toBe('Reports')
+    expect(() => normalizeWorkspaceFileItemName('A/B', 'Folder')).toThrow(
+      'Folder name cannot contain path separators or dot segments'
+    )
+    expect(() => normalizeWorkspaceFileItemName('..', 'File')).toThrow(
+      'File name cannot contain path separators or dot segments'
+    )
+  })
 })