Merge pull request #30527 from overleaf/bg-acf-fix-file-upload-leak

clean up temporary file on upload failure

GitOrigin-RevId: 0f30e6da2087e94e2e9bb95ae845af2efdaa5a7b

services/web/app/src/Features/Uploads/ProjectUploadController.mjs

@@ -71,6 +71,7 @@ async function uploadFile(req, res, next) {
   const userId = SessionManager.getLoggedInUserId(req.session)
   let { folder_id: folderId } = req.query
   if (name == null || name.length === 0 || name.length > 150) {
+    fs.unlink(path, function () {})
     return res.status(422).json({
       success: false,
       error: 'invalid_filename',

services/web/test/unit/src/Uploads/ProjectUploadController.test.mjs

@@ -354,7 +354,7 @@ describe('ProjectUploadController', function () {
         ctx.ProjectUploadController.uploadFile(ctx.req, ctx.res)
       })
 
-      it('should return a a non success response', function (ctx) {
+      it('should return a non success response', function (ctx) {
         expect(ctx.res.body).to.deep.equal(
           JSON.stringify({
             success: false,
@@ -362,6 +362,30 @@ describe('ProjectUploadController', function () {
           })
         )
       })
+
+      it('should remove the uploaded file', function (ctx) {
+        ctx.fs.unlink.calledWith(ctx.path).should.equal(true)
+      })
+    })
+
+    describe('with a filename that is too long', function () {
+      beforeEach(function (ctx) {
+        ctx.req.body.name = 'a'.repeat(151)
+        ctx.ProjectUploadController.uploadFile(ctx.req, ctx.res)
+      })
+
+      it('should return a non success response', function (ctx) {
+        expect(ctx.res.body).to.deep.equal(
+          JSON.stringify({
+            success: false,
+            error: 'invalid_filename',
+          })
+        )
+      })
+
+      it('should remove the uploaded file', function (ctx) {
+        ctx.fs.unlink.calledWith(ctx.path).should.equal(true)
+      })
     })
   })
 })