feat(backend:files): improve file upload handling with comprehensive overwrite support and directory conflict resolution

johaven · johaven · commit e69a687071c0 · 2025-11-03T01:04:43.000+01:00
diff --git a/backend/src/applications/files/files.controller.spec.ts b/backend/src/applications/files/files.controller.spec.ts
@@ -103,10 +103,10 @@ describe(FilesController.name, () => {
       expect(filesMethodsMock.make).toHaveBeenCalledWith(fakeUser, fakeSpace, dto)
     })
 
-    it('upload() should call filesMethods.upload(req, res)', async () => {
-      await filesController.uploadCreate(fakeReq, fakeRes)
+    it('upload() should call filesMethods.upload(req)', async () => {
+      await filesController.uploadCreate(fakeReq)
 
-      expect(filesMethodsMock.upload).toHaveBeenCalledWith(fakeReq, fakeRes)
+      expect(filesMethodsMock.upload).toHaveBeenCalledWith(fakeReq)
     })
 
     it('copy() should call filesMethods.copy(user, space, dto) and return its result', async () => {
diff --git a/backend/src/applications/files/files.controller.ts b/backend/src/applications/files/files.controller.ts
@@ -74,13 +74,13 @@ export class FilesController {
   }
 
   @Post(`${FILES_ROUTE.OPERATION}/${FILE_OPERATION.UPLOAD}/*`)
-  async uploadCreate(@Req() req: FastifySpaceRequest, @Res({ passthrough: true }) res: FastifyReply): Promise<void> {
-    return this.filesMethods.upload(req, res)
+  async uploadCreate(@Req() req: FastifySpaceRequest): Promise<void> {
+    return this.filesMethods.upload(req)
   }
 
   @Put(`${FILES_ROUTE.OPERATION}/${FILE_OPERATION.UPLOAD}/*`)
-  async uploadOverwrite(@Req() req: FastifySpaceRequest, @Res({ passthrough: true }) res: FastifyReply): Promise<void> {
-    return this.filesMethods.upload(req, res)
+  async uploadOverwrite(@Req() req: FastifySpaceRequest): Promise<void> {
+    return this.filesMethods.upload(req)
   }
 
   @Copy(`${FILES_ROUTE.OPERATION}/*`)
diff --git a/backend/src/applications/files/services/files-manager.service.spec.ts b/backend/src/applications/files/services/files-manager.service.spec.ts
@@ -7,6 +7,7 @@
 import { HttpService } from '@nestjs/axios'
 import { Test, TestingModule } from '@nestjs/testing'
 import { DB_TOKEN_PROVIDER } from '../../../infrastructure/database/constants'
+import { SpacesManager } from '../../spaces/services/spaces-manager.service'
 import { FilesLockManager } from './files-lock-manager.service'
 import { FilesManager } from './files-manager.service'
 import { FilesQueries } from './files-queries.service'
@@ -19,6 +20,7 @@ describe(FilesManager.name, () => {
       providers: [
         { provide: DB_TOKEN_PROVIDER, useValue: {} },
         { provide: FilesLockManager, useValue: {} },
+        { provide: SpacesManager, useValue: {} },
         {
           provide: HttpService,
           useValue: {}
diff --git a/backend/src/applications/files/services/files-manager.service.ts b/backend/src/applications/files/services/files-manager.service.ts
@@ -11,14 +11,14 @@ import { AxiosResponse } from 'axios'
 import fs from 'node:fs'
 import path from 'node:path'
 import { Readable } from 'node:stream'
-import { pipeline } from 'node:stream/promises'
 import { extract as extractTar } from 'tar'
 import { FastifyAuthenticatedRequest } from '../../../authentication/interfaces/auth-request.interface'
 import { generateThumbnail } from '../../../common/image'
 import { HTTP_METHOD } from '../../applications.constants'
 import { SPACE_OPERATION } from '../../spaces/constants/spaces'
 import { FastifySpaceRequest } from '../../spaces/interfaces/space-request.interface'
 import { SpaceEnv } from '../../spaces/models/space-env.model'
+import { SpacesManager } from '../../spaces/services/spaces-manager.service'
 import { realTrashPathFromSpace } from '../../spaces/utils/paths'
 import { canAccessToSpace, haveSpaceEnvPermissions } from '../../spaces/utils/permissions'
 import { UserModel } from '../../users/models/user.model'
@@ -68,7 +68,8 @@ export class FilesManager {
   constructor(
     private readonly http: HttpService,
     private readonly filesQueries: FilesQueries,
-    private readonly filesLockManager: FilesLockManager
+    private readonly filesLockManager: FilesLockManager,
+    private readonly spacesManager: SpacesManager
   ) {}
 
   sendFileFromSpace(space: SpaceEnv, asAttachment = false, downloadName = ''): SendFile {
@@ -181,9 +182,10 @@ export class FilesManager {
         POST: create new resource
         PUT: create or update new resource (even if a parent path does not exist)
     */
+    const overwrite = req.method === HTTP_METHOD.PUT
     const realParentPath = dirName(space.realPath)
 
-    if (req.method === HTTP_METHOD.POST) {
+    if (!overwrite) {
       if (await isPathExists(space.realPath)) {
         throw new FileError(HttpStatus.BAD_REQUEST, 'Resource already exists')
       }
@@ -198,14 +200,31 @@ export class FilesManager {
     const basePath = realParentPath + path.sep
 
     for await (const part of req.files()) {
-      // part.filename may contain a path like foo/bar.txt.
+      // part.filename may contain a path like foo/bar.txt
       const dstFile = path.resolve(basePath, part.filename)
       // prevent path traversal
       if (!dstFile.startsWith(basePath)) {
         throw new FileError(HttpStatus.FORBIDDEN, 'Location is not allowed')
       }
-      // make dir in space
+
       const dstDir = dirName(dstFile)
+
+      if (overwrite) {
+        // prevent errors when an uploaded file would replace a directory with the same name
+        // only applies in `overwrite` cases
+        if ((await isPathExists(dstFile)) && (await isPathIsDir(dstFile))) {
+          // If a directory already exists at the destination path, delete it to allow overwriting with the uploaded file
+          const dstUrl = path.join(path.dirname(space.url), part.filename)
+          const dstSpace = await this.spacesManager.spaceEnv(user, dstUrl.split('/'))
+          await this.delete(user, dstSpace)
+        } else if ((await isPathExists(dstDir)) && !(await isPathIsDir(dstDir))) {
+          // If the destination's parent exists but is a file, remove it so we can create the directory
+          const dstUrl = path.join(path.dirname(space.url), path.dirname(part.filename))
+          const dstSpace = await this.spacesManager.spaceEnv(user, dstUrl.split('/'))
+          await this.delete(user, dstSpace)
+        }
+      }
+      // make dir in space
       if (!(await isPathExists(dstDir))) {
         await makeDir(dstDir, true)
       }
@@ -215,7 +234,7 @@ export class FilesManager {
       if (!ok) throw new LockConflict(fileLock, 'Conflicting lock')
       // do
       try {
-        await pipeline(part.file, fs.createWriteStream(dstFile, { highWaterMark: DEFAULT_HIGH_WATER_MARK }))
+        await writeFromStream(dstFile, part.file)
       } finally {
         await this.filesLockManager.removeLock(fileLock.key)
       }
diff --git a/backend/src/applications/files/services/files-methods.service.ts b/backend/src/applications/files/services/files-methods.service.ts
@@ -39,15 +39,11 @@ export class FilesMethods {
     }
   }
 
-  async upload(req: FastifySpaceRequest, res: FastifyReply): Promise<void> {
+  async upload(req: FastifySpaceRequest): Promise<void> {
     try {
       await this.filesManager.saveMultipart(req.user, req.space, req)
     } catch (e) {
-      this.logger.error(`${this.upload.name} - unable to ${FILE_OPERATION.UPLOAD} ${req.space.url} : ${e}`)
-      return res
-        .header('Connection', 'close')
-        .status(e.httpCode || 500)
-        .send({ message: e.message })
+      this.handleError(req.space, FILE_OPERATION.UPLOAD, e)
     }
   }
 
@@ -174,6 +170,7 @@ export class FilesMethods {
 
   private handleError(space: SpaceEnv, action: string, e: any, dstSpace?: SpaceEnv) {
     this.logger.error(`unable to ${action} ${space.url}${dstSpace?.url ? ` -> ${dstSpace.url}` : ''} : ${e}`)
+    // Remove the last part to avoid exposing the path
     const errorMsg = e.message.split(',')[0]
     if (e instanceof LockConflict) {
       throw new HttpException('The file is locked', HttpStatus.LOCKED)
diff --git a/backend/src/applications/sync/services/sync-manager.service.ts b/backend/src/applications/sync/services/sync-manager.service.ts
@@ -266,6 +266,7 @@ export class SyncManager {
 
   private handleError(space: SpaceEnv, action: string, e: any, dstSpace?: SpaceEnv) {
     this.logger.error(`unable to ${action} ${space.url}${dstSpace?.url ? ` -> ${dstSpace.url}` : ''} : ${e}`)
+    // Remove the last part to avoid exposing the path
     const errorMsg = e.message.split(',')[0]
     if (e instanceof LockConflict) {
       throw new HttpException('The file is locked', HttpStatus.LOCKED)
diff --git a/backend/src/applications/webdav/services/webdav-methods.service.ts b/backend/src/applications/webdav/services/webdav-methods.service.ts
@@ -463,6 +463,7 @@ export class WebDAVMethods {
 
   private handleError(req: FastifyDAVRequest, res: FastifyReply, e: any, toUrl?: string) {
     this.logger.error(`Unable to ${req.method} ${req.dav.url}${toUrl ? ` -> ${toUrl}` : ''} : ${e.message}`)
+    // Remove the last part to avoid exposing the path
     const errorMsg = e.message.split(',')[0]
     if (e instanceof LockConflict) {
       return DAV_ERROR_RES(HttpStatus.LOCKED, PRECONDITION.LOCK_CONFLICT, res, e.lock.davLock?.lockroot || e.lock.dbFilePath)

Original file line number	Diff line number	Diff line change
`@@ -74,13 +74,13 @@ export class FilesController {`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	@Post(`${FILES_ROUTE.OPERATION}/${FILE_OPERATION.UPLOAD}/*`)
`77`		`- async uploadCreate(@Req() req: FastifySpaceRequest, @Res({ passthrough: true }) res: FastifyReply): Promise<void> {`
`78`		`- return this.filesMethods.upload(req, res)`
	`77`	`+ async uploadCreate(@Req() req: FastifySpaceRequest): Promise<void> {`
	`78`	`+ return this.filesMethods.upload(req)`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	@Put(`${FILES_ROUTE.OPERATION}/${FILE_OPERATION.UPLOAD}/*`)
`82`		`- async uploadOverwrite(@Req() req: FastifySpaceRequest, @Res({ passthrough: true }) res: FastifyReply): Promise<void> {`
`83`		`- return this.filesMethods.upload(req, res)`
	`82`	`+ async uploadOverwrite(@Req() req: FastifySpaceRequest): Promise<void> {`
	`83`	`+ return this.filesMethods.upload(req)`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	@Copy(`${FILES_ROUTE.OPERATION}/*`)
Original file line number	Diff line number	Diff line change
`@@ -39,15 +39,11 @@ export class FilesMethods {`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`
`42`		`- async upload(req: FastifySpaceRequest, res: FastifyReply): Promise<void> {`
	`42`	`+ async upload(req: FastifySpaceRequest): Promise<void> {`
`43`	`43`	`try {`
`44`	`44`	`await this.filesManager.saveMultipart(req.user, req.space, req)`
`45`	`45`	`} catch (e) {`
`46`		- this.logger.error(`${this.upload.name} - unable to ${FILE_OPERATION.UPLOAD} ${req.space.url} : ${e}`)
`47`		`- return res`
`48`		`- .header('Connection', 'close')`
`49`		`- .status(e.httpCode \|\| 500)`
`50`		`- .send({ message: e.message })`
	`46`	`+ this.handleError(req.space, FILE_OPERATION.UPLOAD, e)`
`51`	`47`	`}`
`52`	`48`	`}`
`53`	`49`
`@@ -174,6 +170,7 @@ export class FilesMethods {`
`174`	`170`
`175`	`171`	`private handleError(space: SpaceEnv, action: string, e: any, dstSpace?: SpaceEnv) {`
`176`	`172`	this.logger.error(`unable to ${action} ${space.url}${dstSpace?.url ? ` -> ${dstSpace.url}` : ''} : ${e}`)
	`173`	`+ // Remove the last part to avoid exposing the path`
`177`	`174`	`const errorMsg = e.message.split(',')[0]`
`178`	`175`	`if (e instanceof LockConflict) {`
`179`	`176`	`throw new HttpException('The file is locked', HttpStatus.LOCKED)`