fix(web): reject negative part sizes, clamp POST size range, harden cleanup

Author: richiemcilroy

apps/web/app/api/upload/[...route]/multipart.ts

@@ -291,7 +291,9 @@ app.post(
 					z.object({
 						partNumber: z.number(),
 						etag: z.string(),
-						size: z.number(),
+						// Non-negative so a negative size can't drag the summed total
+						// below the cap and bypass the upload-size limit.
+						size: z.number().nonnegative(),
 					}),
 				),
 				durationInSecs: stringOrNumberOptional,
@@ -413,16 +415,35 @@ app.post(
 			}
 			if (totalUploadSize > MAX_UPLOAD_BYTES) {
 				// Avoid leaving the parts as incomplete-MPU storage and a stale
-				// videoUploads row, mirroring the free-plan rejection cleanup. The
-				// 413 stands regardless of cleanup success.
+				// videoUploads row, mirroring the free-plan rejection cleanup. Each
+				// step is caught independently so a failed abort doesn't skip the DB
+				// cleanup (and vice versa). The 413 stands regardless of either.
 				yield* Effect.gen(function* () {
 					const [bucket] = yield* Storage.getAccessForVideo(video);
-					yield* bucket.multipart.abort(fileKey, uploadId);
-					yield* db.use((db) =>
-						db
-							.delete(Db.videoUploads)
-							.where(eq(Db.videoUploads.videoId, videoId)),
-					);
+					yield* bucket.multipart
+						.abort(fileKey, uploadId)
+						.pipe(
+							Effect.catchAll((error) =>
+								Effect.logError(
+									"Failed to abort rejected oversized multipart upload",
+									error,
+								),
+							),
+						);
+					yield* db
+						.use((db) =>
+							db
+								.delete(Db.videoUploads)
+								.where(eq(Db.videoUploads.videoId, videoId)),
+						)
+						.pipe(
+							Effect.catchAll((error) =>
+								Effect.logError(
+									"Failed to delete videoUploads row for rejected upload",
+									error,
+								),
+							),
+						);
 				}).pipe(
 					Effect.catchAll((error) =>
 						Effect.logError(

packages/web-backend/src/S3Buckets/S3BucketAccess.ts

@@ -274,23 +274,38 @@ export const createS3BucketAccess = Effect.gen(function* () {
 					Effect.map((client) => {
 						// Enforce an upper bound on the uploaded object size. The POST
 						// policy rejects the upload at S3 if the body exceeds this,
-						// closing the unbounded-storage hole for presigned POSTs. If a
-						// caller already supplies a content-length-range we defer to it
-						// rather than emitting a second, conflicting range.
+						// closing the unbounded-storage hole for presigned POSTs. We emit
+						// exactly one content-length-range whose max never exceeds
+						// MAX_UPLOAD_BYTES, even if a caller supplied a looser one, so a
+						// caller can tighten but never raise/disable the cap.
 						const callerConditions = args.Conditions ?? [];
-						const hasContentLengthRange = callerConditions.some(
-							(condition) =>
-								Array.isArray(condition) &&
-								condition[0] === "content-length-range",
+						const isLengthRange = (condition: unknown): boolean =>
+							Array.isArray(condition) &&
+							condition[0] === "content-length-range";
+						const callerRange = callerConditions.find(isLengthRange) as
+							| [unknown, unknown, unknown]
+							| undefined;
+						const callerMin =
+							callerRange && typeof callerRange[1] === "number"
+								? Math.max(0, callerRange[1])
+								: 0;
+						const callerMax =
+							callerRange && typeof callerRange[2] === "number"
+								? callerRange[2]
+								: MAX_UPLOAD_BYTES;
+						const otherConditions = callerConditions.filter(
+							(condition) => !isLengthRange(condition),
 						);
 						return createPresignedPost(client, {
 							...args,
-							Conditions: hasContentLengthRange
-								? callerConditions
-								: [
-										["content-length-range", 0, MAX_UPLOAD_BYTES],
-										...callerConditions,
-									],
+							Conditions: [
+								[
+									"content-length-range",
+									callerMin,
+									Math.min(callerMax, MAX_UPLOAD_BYTES),
+								],
+								...otherConditions,
+							],
 							Bucket: provider.bucket,
 							Key: key,
 						});