fix(files): validate fileId in csv-preview route, guard double-import, fix sniff perf and toggle flash

Author: TheodoreSpeaks

apps/sim/app/api/workspaces/[id]/files/[fileId]/csv-preview/route.ts

@@ -5,7 +5,7 @@ import { parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { getCsvPreviewSlice } from '@/lib/file-parsers/csv-preview-slice'
-import { parseWorkspaceFileKey } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
+import { getWorkspaceFile } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceCsvPreviewAPI')
@@ -23,21 +23,27 @@ export const GET = withRouteHandler(
 
     const parsed = await parseRequest(getWorkspaceCsvPreviewContract, request, context)
     if (!parsed.success) return parsed.response
-    const { id: workspaceId } = parsed.data.params
+    const { id: workspaceId, fileId } = parsed.data.params
     const { key } = parsed.data.query
 
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
     if (!permission) {
       return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
-    // The key is client-supplied — confine it to this workspace's storage prefix so a caller
-    // can't read another workspace's object.
-    if (parseWorkspaceFileKey(key) !== workspaceId) {
-      return NextResponse.json({ error: 'Invalid file key for workspace' }, { status: 400 })
+    // Resolve the file record (active, in this workspace) and read from its authoritative key —
+    // never the client-supplied one. This rejects archived/deleted files and keys with no live
+    // row, matching the access guarantees of /api/files/serve.
+    const record = await getWorkspaceFile(workspaceId, fileId)
+    if (!record || record.key !== key) {
+      return NextResponse.json({ error: 'File not found' }, { status: 404 })
     }
 
-    const slice = await getCsvPreviewSlice({ key, context: 'workspace', signal: request.signal })
+    const slice = await getCsvPreviewSlice({
+      key: record.key,
+      context: 'workspace',
+      signal: request.signal,
+    })
 
     logger.info('CSV preview served', {
       workspaceId,

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/csv-import.ts

@@ -24,7 +24,13 @@ export function useCsvTruncationImport(
   const router = useRouter()
   const importFile = useImportFileAsTable()
 
+  // Guards against a double-tap on the toast action kicking off two parallel imports of the same
+  // file. Reset once the kickoff settles so a failed import can be retried.
+  const importingRef = useRef(false)
+
   const importAsTable = useCallback(() => {
+    if (importingRef.current) return
+    importingRef.current = true
     const pendingId = `pending_${generateId()}`
     useImportTrayStore
       .getState()
@@ -39,8 +45,10 @@ export function useCsvTruncationImport(
     importFile.mutate(
       { workspaceId, fileKey: file.key, fileName: file.name },
       {
-        onSuccess: () => useImportTrayStore.getState().endUpload(pendingId),
-        onError: () => useImportTrayStore.getState().endUpload(pendingId),
+        onSettled: () => {
+          importingRef.current = false
+          useImportTrayStore.getState().endUpload(pendingId)
+        },
       }
     )
     // importFile.mutate and router are stable references

apps/sim/app/workspace/[workspaceId]/home/components/mothership-view/mothership-view.tsx

@@ -88,7 +88,7 @@ export const MothershipView = memo(
 
     // A large CSV renders read-only (streamed) with no editor, so it must not offer the
     // edit/split/preview toggle. Its size lives on the file record, not the resource tab.
-    const { data: files } = useWorkspaceFiles(workspaceId, 'active', {
+    const { data: files, isLoading: filesLoading } = useWorkspaceFiles(workspaceId, 'active', {
       enabled: active?.type === 'file',
     })
     const activeFile = active?.type === 'file' ? files?.find((f) => f.id === active.id) : undefined
@@ -97,6 +97,9 @@ export const MothershipView = memo(
       canEdit &&
       active?.type === 'file' &&
       RICH_PREVIEWABLE_EXTENSIONS.has(getFileExtension(active.title)) &&
+      // Wait for the record before deciding — otherwise the toggle flashes on for a large CSV
+      // until its size loads and we can tell it's read-only.
+      !filesLoading &&
       !(activeFile && isCsvStreamOnly(activeFile))
 
     return (

apps/sim/lib/file-parsers/csv-preview-slice.ts

@@ -59,6 +59,10 @@ export async function getCsvPreviewSlice({
 
   try {
     // Pull chunks until the first newline so the delimiter can be sniffed before parsing.
+    // Accumulate the header line incrementally — appending each chunk's decoded text rather than
+    // re-concatenating the whole buffer each iteration (which would be O(n²) for a header split
+    // across many small chunks). The delimiter chars (`,` `\t` `;`) are ASCII, so a multi-byte
+    // character split at a chunk boundary can't introduce a false delimiter into the count.
     const sniffed: Buffer[] = []
     let firstLine = ''
     let sniffedBytes = 0
@@ -68,13 +72,13 @@ export async function getCsvPreviewSlice({
       const chunk = Buffer.isBuffer(value) ? value : Buffer.from(value)
       sniffed.push(chunk)
       sniffedBytes += chunk.length
-      const combined = Buffer.concat(sniffed).toString('utf-8')
-      const nl = combined.indexOf('\n')
+      const text = chunk.toString('utf-8')
+      const nl = text.indexOf('\n')
       if (nl !== -1) {
-        firstLine = combined.slice(0, nl)
+        firstLine += text.slice(0, nl)
         break
       }
-      firstLine = combined
+      firstLine += text
       if (sniffedBytes >= DELIMITER_SNIFF_MAX_BYTES) break
     }