fix(workspace-files): audit fixes — transaction, status codes, contract refinements, guards

Author: waleedlatif1

apps/sim/app/api/workspaces/[id]/files/download/route.ts

@@ -97,7 +97,7 @@ export const GET = withRouteHandler(
           {
             error: `Too many files selected for download. Select ${MAX_ZIP_DOWNLOAD_FILES} or fewer files.`,
           },
-          { status: 413 }
+          { status: 400 }
         )
       }
 
@@ -107,7 +107,7 @@ export const GET = withRouteHandler(
           {
             error: `Selected files total ${formatFileSize(totalBytes)}, which exceeds the ${formatFileSize(MAX_ZIP_DOWNLOAD_BYTES)} download limit.`,
           },
-          { status: 413 }
+          { status: 400 }
         )
       }
 

apps/sim/app/workspace/[workspaceId]/files/components/action-bar/action-bar.tsx

@@ -91,10 +91,12 @@ export function FilesActionBar({
                       align='center'
                       className='max-h-[240px] overflow-y-auto'
                     >
-                      <DropdownMenuItem onSelect={() => onMove(moveOptions[0].value)}>
-                        <Folder />
-                        {moveOptions[0].label}
-                      </DropdownMenuItem>
+                      {moveOptions.length > 0 && (
+                        <DropdownMenuItem onSelect={() => onMove(moveOptions[0].value)}>
+                          <Folder />
+                          {moveOptions[0].label}
+                        </DropdownMenuItem>
+                      )}
                       {moveOptions.length > 1 && <DropdownMenuSeparator />}
                       {moveOptions.slice(1).map((option) => renderMoveOption(option, onMove))}
                     </DropdownMenuContent>

apps/sim/app/workspace/[workspaceId]/files/components/delete-confirm-modal/delete-confirm-modal.tsx

@@ -48,8 +48,12 @@ export const DeleteConfirmModal = memo(function DeleteConfirmModal({
         <ModalBody>
           <ModalDescription className='text-[var(--text-secondary)]'>
             Are you sure you want to delete{' '}
-            <span className='font-medium text-[var(--text-primary)]'>{fileName}</span>?{' '}
-            {consequence}
+            {fileName ? (
+              <span className='font-medium text-[var(--text-primary)]'>{fileName}</span>
+            ) : (
+              `${totalCount} item${totalCount === 1 ? '' : 's'}`
+            )}
+            ? {consequence}
           </ModalDescription>
         </ModalBody>
         <ModalFooter>

apps/sim/app/workspace/[workspaceId]/files/components/files-list-context-menu/files-list-context-menu.tsx

@@ -36,14 +36,8 @@ export const FilesListContextMenu = memo(function FilesListContextMenu({
     <DropdownMenu open={isOpen} onOpenChange={(open) => !open && onClose()} modal={false}>
       <DropdownMenuTrigger asChild>
         <div
-          style={{
-            position: 'fixed',
-            left: `${position.x}px`,
-            top: `${position.y}px`,
-            width: '1px',
-            height: '1px',
-            pointerEvents: 'none',
-          }}
+          className='pointer-events-none fixed size-px'
+          style={{ left: position.x, top: position.y }}
           tabIndex={-1}
           aria-hidden
         />

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/sidebar.tsx

@@ -826,7 +826,7 @@ export const Sidebar = memo(function Sidebar() {
             id: f.id,
             name: f.name,
             href: `/workspace/${workspaceId}/files/${f.id}`,
-            folderPath: f.folderPath ? f.folderPath.split('/') : undefined,
+            folderPath: f.folderPath ? f.folderPath.split('/').filter(Boolean) : undefined,
           })),
     [fetchedFiles, workspaceId, permissionConfig.hideFilesTab]
   )

apps/sim/lib/api/contracts/tools/file.ts

@@ -27,7 +27,7 @@ export const fileManageGetBodySchema = z
     operation: z.literal('get'),
     workspaceId: z.string().min(1).optional(),
     fileId: z.string().min(1).optional(),
-    fileInput: z.any().optional(),
+    fileInput: z.unknown().optional(),
   })
   .refine((data) => data.fileId !== undefined || data.fileInput !== undefined, {
     message: 'Either fileId or fileInput is required for get operation',

apps/sim/lib/api/contracts/workspace-file-folders.ts

@@ -54,16 +54,24 @@ export const updateWorkspaceFileFolderBodySchema = z.object({
   sortOrder: z.number().int().optional(),
 })
 
-export const moveWorkspaceFileItemsBodySchema = z.object({
-  fileIds: z.array(z.string()).default([]),
-  folderIds: z.array(z.string()).default([]),
-  targetFolderId: z.string().nullable().optional(),
-})
+export const moveWorkspaceFileItemsBodySchema = z
+  .object({
+    fileIds: z.array(z.string()).default([]),
+    folderIds: z.array(z.string()).default([]),
+    targetFolderId: z.string().nullable().optional(),
+  })
+  .refine((body) => body.fileIds.length > 0 || body.folderIds.length > 0, {
+    message: 'At least one file or folder must be selected',
+  })
 
-export const bulkArchiveWorkspaceFileItemsBodySchema = z.object({
-  fileIds: z.array(z.string()).default([]),
-  folderIds: z.array(z.string()).default([]),
-})
+export const bulkArchiveWorkspaceFileItemsBodySchema = z
+  .object({
+    fileIds: z.array(z.string()).default([]),
+    folderIds: z.array(z.string()).default([]),
+  })
+  .refine((body) => body.fileIds.length > 0 || body.folderIds.length > 0, {
+    message: 'At least one file or folder must be selected',
+  })
 
 const queryIdListSchema = z
   .union([z.string(), z.array(z.string())])

apps/sim/lib/uploads/contexts/workspace/workspace-file-folder-manager.ts

@@ -902,43 +902,49 @@ export async function restoreWorkspaceFileFolder(
   workspaceId: string,
   folderId: string
 ): Promise<WorkspaceFileFolderRecord> {
-  const raw = await db
-    .select()
-    .from(workspaceFileFolder)
-    .where(
-      and(eq(workspaceFileFolder.id, folderId), eq(workspaceFileFolder.workspaceId, workspaceId))
-    )
-    .limit(1)
-    .then((rows) => rows[0] ?? null)
-
-  if (!raw) throw new Error('Folder not found')
-  if (!raw.deletedAt) throw new Error('Folder is not archived')
+  const restored = await db.transaction(async (tx) => {
+    await acquireWorkspaceFileFolderMutationLock(tx, workspaceId)
 
-  // If the parent folder is still archived, restore to root so the folder
-  // doesn't become an orphan (hidden under an archived parent).
-  let resolvedParentId = raw.parentId
-  if (resolvedParentId) {
-    const parent = await db
-      .select({ deletedAt: workspaceFileFolder.deletedAt })
+    const raw = await tx
+      .select()
       .from(workspaceFileFolder)
       .where(
-        and(
-          eq(workspaceFileFolder.id, resolvedParentId),
-          eq(workspaceFileFolder.workspaceId, workspaceId)
-        )
+        and(eq(workspaceFileFolder.id, folderId), eq(workspaceFileFolder.workspaceId, workspaceId))
       )
       .limit(1)
       .then((rows) => rows[0] ?? null)
-    if (!parent || parent.deletedAt) resolvedParentId = null
-  }
 
-  const [restored] = await db
-    .update(workspaceFileFolder)
-    .set({ deletedAt: null, parentId: resolvedParentId, updatedAt: new Date() })
-    .where(
-      and(eq(workspaceFileFolder.id, folderId), eq(workspaceFileFolder.workspaceId, workspaceId))
-    )
-    .returning()
+    if (!raw) throw new Error('Folder not found')
+    if (!raw.deletedAt) throw new Error('Folder is not archived')
+
+    // If the parent folder is still archived, restore to root so the folder
+    // doesn't become an orphan (hidden under an archived parent).
+    let resolvedParentId = raw.parentId
+    if (resolvedParentId) {
+      const parent = await tx
+        .select({ deletedAt: workspaceFileFolder.deletedAt })
+        .from(workspaceFileFolder)
+        .where(
+          and(
+            eq(workspaceFileFolder.id, resolvedParentId),
+            eq(workspaceFileFolder.workspaceId, workspaceId)
+          )
+        )
+        .limit(1)
+        .then((rows) => rows[0] ?? null)
+      if (!parent || parent.deletedAt) resolvedParentId = null
+    }
+
+    const [row] = await tx
+      .update(workspaceFileFolder)
+      .set({ deletedAt: null, parentId: resolvedParentId, updatedAt: new Date() })
+      .where(
+        and(eq(workspaceFileFolder.id, folderId), eq(workspaceFileFolder.workspaceId, workspaceId))
+      )
+      .returning()
+
+    return row
+  })
 
   logger.info('Restored workspace file folder', { workspaceId, folderId })