agent: @U0AJM7X8FBR Chat - /files page - Drag-n-Drop Files.#333
agent: @U0AJM7X8FBR Chat - /files page - Drag-n-Drop Files.#333sweetmantech wants to merge 1 commit intotestfrom
Conversation
…org submodules - lib/github/commitFileToRepo.ts: GitHub Contents API utility to create/update files in a repo - lib/sandbox/uploadSandboxFilesHandler.ts: multipart handler that resolves submodule paths and commits files - lib/sandbox/__tests__/uploadSandboxFilesHandler.test.ts: 6 passing tests (TDD) - app/api/sandboxes/files/route.ts: POST route wired to handler Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
recoup-coding-agent
left a comment
recoup-coding-agent
left a comment
There was a problem hiding this comment.
Code Review: Chat - /files page - Drag-n-Drop Files
Summary
Adds POST /api/sandboxes/files endpoint to upload files from the drag-and-drop UI to the authenticated account's GitHub org submodule. Files are resolved through resolveSubmodulePath so they land in the correct sub-repo. Good test coverage across auth, validation, snapshot lookup, and upload result cases.
CLEAN Code Assessment
SRP ✅ commitFileToRepo handles GitHub, uploadSandboxFilesHandler handles orchestration — well separated.
OCP ✅ No modification to existing code paths.
DRY ✅ Reuses validateAuthContext, selectAccountSnapshots, resolveSubmodulePath.
YAGNI ✅ No over-engineering; handles exactly what was asked.
Issues Found
🔴 Blocking
1. Path traversal via file.name
const fullPath = `${folder.replace(/\/$/, "")}/${file.name}`;file.name comes from the Content-Disposition header in the multipart body and is not sanitized. A crafted request could send file.name = "../../../.env", resulting in a path like .openclaw/workspace/orgs/myorg/../../../.env, which GitHub normalizes to .env at the repo root — allowing arbitrary file writes.
Fix: strip ../ sequences and leading slashes from file.name before building the path:
const safeName = file.name.replace(/(\.\.\/|\.\.\\/|^\/)/g, "").replace(/[\x00-\x1f]/g, "");
const fullPath = `${folder.replace(/\/$/, "")}/${safeName}`;🟡 Suggestions
2. Hardcoded branch: "main" in commitFileToRepo
branch: "main",This silently targets main regardless of the actual default branch. Repos using master or another default branch will fail. Consider either:
- Accepting
branchas an optional parameter (defaulting to"main"), or - Fetching the repo's default branch via
GET /repos/{owner}/{repo}when not provided.
3. Unhandled selectAccountSnapshots rejection
The snapshots lookup isn't wrapped in try/catch. A database error will produce an unhandled 500. Given the pattern used in similar handlers, wrap in try/catch with a { status: 500 } response.
4. No file size limit
The handler accepts arbitrarily large files. Consider adding a limit (e.g., 10MB per file or per request) before calling file.arrayBuffer() to avoid memory exhaustion.
🔵 Nits
- Empty JSDoc blocks on
createMockFormDataandcreateMockRequesttest helpers — remove them.
Security
🔴 Path traversal via file.name (see blocking issue above).
✅ Auth enforced via validateAuthContext.
✅ No hardcoded secrets.
Verdict: request-changes
Path traversal on file.name must be fixed before merging. The branch hardcoding and missing try/catch are worth addressing in the same PR.
2 participants
Automated PR from coding agent.
Prompt: @U0AJM7X8FBR Chat - /files page - Drag-n-Drop Files.
• actual: I am unable to drag and drop files on the /files page to add them to my github repository in an org submodule.
• required: I can drag and drop files on the /files page to add them to my github repository in an org submodule.