fix: FileUploadModal not validating renamed blacklisted file types

[abhinavkrin]

Proposed changes (including videos or screenshots)

This PR fixes an issue where the client continued sending an incorrect MIME type when a file name was changed during the upload flow.

Issue(s)

Steps to test or reproduce

Further comments

SUP-953

Summary by CodeRabbit

• New Features

  • Added filename-based MIME detection to improve content-type handling.

• Bug Fixes

  • Fixed bypass of file-type blacklist when renaming files so disallowed uploads are blocked.

• Improvements

  • Early validation of uploads by filename and content type; better error messaging and added accessibility alerts on validation errors.

• Tests

  • Added render, accessibility, and validation tests for the file upload modal.

• Chores

  • Added a changeset to mark a patch release.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: aadaadb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 40 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Added filename-based MIME lookup and used it to validate renamed uploads before submission; small upload flow cleanup and tests/changeset to prevent blacklisted types being bypassed by renaming.

Changes

Cohort / File(s)	Summary
MIME Type Utilities apps/meteor/app/utils/lib/mimeTypes.ts	Added getMimeTypeFromFileName(fileName: string) (falls back to application/octet-stream), refactored getMimeType() to delegate to it, and exported the new helper.
Upload Flow Adjustments apps/meteor/client/lib/chats/flows/uploadFiles.ts	Minor signature cleanup for onSubmit (removed inline types) and adjusted content-type check to use file.type instead of file?.type.
File Upload Modal Logic apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx	Added filename validation via getMimeTypeFromFileName + fileUploadIsValidContentType (wired into form register), added useCallback validator, and added role="alert" to field errors for accessibility.
File Upload Modal Tests apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.spec.tsx	Added story-based render + a11y tests, updated test fixtures to include type and fileName, added description length test and renamed-file blacklist test.
Changeset .changeset/short-jobs-join.md	Added patch changeset noting fix for file type blacklist bypass via rename.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User as "User\n(uploads file)"
  participant UI as "FileUploadModal\n(client)"
  participant Util as "mimeTypes Util"
  participant Validator as "ContentType Validator"
  participant Server as "Server\n(upload endpoint)"

  User->>UI: Select file and optionally rename
  UI->>Util: getMimeTypeFromFileName(newFileName)
  Util-->>UI: inferred MIME type
  UI->>Validator: fileUploadIsValidContentType(inferred MIME or file.type)
  Validator-->>UI: accepted / rejected
  alt rejected
    UI-->>User: show name error (role=alert) and abort
  else accepted
    UI->>UI: run other validations (size, description)
    UI->>Server: upload file (original or renamed)
    Server-->>UI: upload response
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: prevent file content buffering in user uploads #38071 — touches MIME-type resolution used in upload flows and may overlap with filename-based MIME handling changes.

Suggested reviewers

• rodrigok
• ggazzo
• cardoso

Poem

🐰 I sniffed the filename, checked its mime with care,
No sneaky rename will slip past my stare.
I hop and I guard each upload today,
Errors announced so none go astray.
Hooray — the blacklist stands, come what may! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The pull request successfully addresses the core objectives from SUP-953 by validating MIME types based on the renamed filename, preventing blacklist bypasses through extension changes.
Out of Scope Changes check	✅ Passed	All changes are focused on fixing the MIME type bypass issue through filename-based validation and improved error handling in the File Upload dialog.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main fix: validating renamed blacklisted file types in FileUploadModal, which directly addresses the security issue where file type blacklists were being bypassed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/client-sends-incorrect-mime-type-on-file-name-change

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/meteor/tests/e2e/file-upload.spec.ts">

<violation number="1" location="apps/meteor/tests/e2e/file-upload.spec.ts:14">
P1: Typo: trailing comma inside the setting ID string `'FileUpload_MediaTypeBlackList,'` will cause the setting to not be found. The `afterAll` block correctly uses `'FileUpload_MediaTypeBlackList'` without the comma.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @apps/meteor/tests/e2e/file-upload.spec.ts:
- Line 14: The call to setSettingValueById uses an incorrect setting ID with a
trailing comma ('FileUpload_MediaTypeBlackList,'), causing the blacklist to be
set on the wrong key; remove the trailing comma so the function uses the correct
ID ('FileUpload_MediaTypeBlackList') in the test (locate the failing invocation
of setSettingValueById in file-upload.spec.ts and update the string argument).

🧹 Nitpick comments (1)

apps/meteor/client/lib/chats/flows/uploadFiles.ts (1)

217-217: Consider validating with prepared file for consistency.

The invalidContentType check uses nextFile?.type (the original file's type), but the actual submission validation at line 87 uses the prepared file's type. This could lead to inconsistent UX where the modal appears but then immediately shows an error on submit when a user renames a file to a blacklisted extension.

However, this might be intentional to allow users to fix the filename. If so, the current behavior is acceptable.

💡 Alternative approach for consistency

If you want to prevent the modal from appearing at all for invalid types after renaming, you could move the file preparation and validation earlier:

	const uploadNextFile = (): void => {
		const nextFile = queue.pop();
		if (!nextFile) {
			chat.composer?.dismissAllQuotedMessages();
			return;
		}
+
+		// Early validation for renamed files
+		const initialFile = prepareFile(nextFile.name, nextFile.name, nextFile);

		imperativeModal.open({
			component: FileUploadModal,
			props: {
-				invalidContentType: !fileUploadIsValidContentType(nextFile?.type),
+				invalidContentType: !fileUploadIsValidContentType(initialFile.type),

Note: This would require adjusting the logic since initially the filename hasn't changed yet.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 69aa0bd and c6c9e0c.

📒 Files selected for processing (4)

• apps/meteor/app/utils/lib/mimeTypes.ts
• apps/meteor/client/lib/chats/flows/uploadFiles.ts
• apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx
• apps/meteor/tests/e2e/file-upload.spec.ts

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx
• apps/meteor/tests/e2e/file-upload.spec.ts
• apps/meteor/client/lib/chats/flows/uploadFiles.ts
• apps/meteor/app/utils/lib/mimeTypes.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• apps/meteor/tests/e2e/file-upload.spec.ts

apps/meteor/tests/e2e/**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.spec.ts: All test files must be created in apps/meteor/tests/e2e/ directory
Avoid using page.locator() in Playwright tests - always prefer semantic locators such as page.getByRole(), page.getByLabel(), page.getByText(), or page.getByTitle()
Use test.beforeAll() and test.afterAll() for setup/teardown in Playwright tests
Use test.step() for complex test scenarios to improve organization in Playwright tests
Group related tests in the same file
Utilize Playwright fixtures (test, page, expect) for consistency in test files
Prefer web-first assertions (toBeVisible, toHaveText, etc.) in Playwright tests
Use expect matchers for assertions (toEqual, toContain, toBeTruthy, toHaveLength, etc.) instead of assert statements in Playwright tests
Use page.waitFor() with specific conditions instead of hardcoded timeouts in Playwright tests
Implement proper wait strategies for dynamic content in Playwright tests
Maintain test isolation between test cases in Playwright tests
Ensure clean state for each test execution in Playwright tests
Ensure tests run reliably in parallel without shared state conflicts

Files:

• apps/meteor/tests/e2e/file-upload.spec.ts

apps/meteor/tests/e2e/**/*.{ts,spec.ts}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.{ts,spec.ts}: Store commonly used locators in variables/constants for reuse
Follow Page Object Model pattern consistently in Playwright tests

Files:

• apps/meteor/tests/e2e/file-upload.spec.ts

🧠 Learnings (10)

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : All test files must be created in `apps/meteor/tests/e2e/` directory

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Group related tests in the same file

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `test.beforeAll()` and `test.afterAll()` for setup/teardown in Playwright tests

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to **/*.spec.ts : Use descriptive test names that clearly communicate expected behavior in Playwright tests

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to **/*.spec.ts : Use `.spec.ts` extension for test files (e.g., `login.spec.ts`)

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.{ts,spec.ts} : Follow Page Object Model pattern consistently in Playwright tests

Applied to files:

• apps/meteor/tests/e2e/file-upload.spec.ts

🧬 Code graph analysis (1)

apps/meteor/client/lib/chats/flows/uploadFiles.ts (3)

apps/meteor/app/utils/lib/mimeTypes.ts (1)

• getMimeTypeFromFileName (31-31)

packages/ui-client/src/helpers/imperativeModal.tsx (1)

• imperativeModal (53-53)

packages/core-typings/src/IRoom.ts (1)

• isRoomFederated (122-122)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (5)

apps/meteor/tests/e2e/file-upload.spec.ts (1)

54-64: Well-designed test for the security fix.

The test correctly validates that renaming a file to a blacklisted extension triggers MIME type validation and prevents upload. It verifies both that the description doesn't appear in the message and that the appropriate error toast is displayed.

apps/meteor/app/utils/lib/mimeTypes.ts (1)

15-18: Clean extraction of MIME type resolution logic.

The new getMimeTypeFromFileName helper properly encapsulates filename-to-MIME-type lookup with a sensible default fallback. This makes the logic reusable across the codebase.

apps/meteor/client/lib/chats/flows/uploadFiles.ts (2)

37-44: File preparation logic correctly reconstructs MIME type.

The prepareFile function properly creates a new File instance with the corrected MIME type when the filename extension changes. This is the core of the security fix, ensuring the MIME type reflects the actual filename rather than the original file.

---

84-95: MIME validation correctly prevents blacklist bypass.

The validation logic properly checks the prepared file's MIME type after filename changes and displays an error toast before proceeding to the next file. This prevents users from bypassing the blacklist by renaming files.

apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx (1)

29-29: API extension maintains flexibility for toast handling.

The optional dispatchToastMessage parameter allows the upload flow to display validation errors while maintaining backward compatibility. This is a clean approach to enable the security fix without breaking existing callers.

[codecov]

Codecov Report

❌ Patch coverage is 96.96970% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 70.73%. Comparing base (c7966fa) to head (aadaadb).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38106      +/-   ##
===========================================
+ Coverage    70.66%   70.73%   +0.07%     
===========================================
  Files         3136     3139       +3     
  Lines       108599   108744     +145     
  Branches     19538    19594      +56     
===========================================
+ Hits         76742    76921     +179     
+ Misses       29856    29824      -32     
+ Partials      2001     1999       -2     

Flag	Coverage Δ
e2e	60.29% <72.72%> (-0.05%)	⬇️
e2e-api	49.09% <ø> (+1.05%)	⬆️
unit	71.82% <93.93%> (+0.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

📦 Docker Image Size Report

➡️ Changes

Service	Current	Baseline	Change	Percent
sum of all images	0B	0B	0B
account-service	0B	0B	0B
authorization-service	0B	0B	0B
ddp-streamer-service	0B	0B	0B
omnichannel-transcript-service	0B	0B	0B
presence-service	0B	0B	0B
queue-worker-service	0B	0B	0B
rocketchat	0B	0B	0B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "01/19 17:56 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.00]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "queue-worker-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "rocketchat" [0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.00]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 0B

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38106
• Baseline: develop
• Timestamp: 2026-01-19 17:56:02 UTC
• Historical data points: 30

---

Updated: Mon, 19 Jan 2026 17:56:03 GMT

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/meteor/client/lib/chats/flows/uploadFiles.ts (1)

218-218: Minor: Initial validation state may not reflect filename changes in modal.

The invalidContentType prop is based on nextFile.type (the original file type) and doesn't update if the user changes the filename within the modal. This could show stale warnings, though the actual security validation at line 88 in onSubmit is correct and will catch invalid types.

Consider: For improved UX, the modal could reactively update warnings as the filename changes, but this would require modal component changes beyond this PR's scope.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7e33b44 and 6791a70.

📒 Files selected for processing (1)

• apps/meteor/client/lib/chats/flows/uploadFiles.ts

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/lib/chats/flows/uploadFiles.ts

🧠 Learnings (1)

📚 Learning: 2025-11-19T12:32:29.696Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37547
File: packages/i18n/src/locales/en.i18n.json:634-634
Timestamp: 2025-11-19T12:32:29.696Z
Learning: Repo: RocketChat/Rocket.Chat
Context: i18n workflow
Learning: In this repository, new translation keys should be added to packages/i18n/src/locales/en.i18n.json only; other locale files are populated via the external translation pipeline and/or fall back to English. Do not request adding the same key to all locale files in future reviews.

Applied to files:

• apps/meteor/client/lib/chats/flows/uploadFiles.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (4)

apps/meteor/client/lib/chats/flows/uploadFiles.ts (4)

4-4: LGTM! Necessary imports for MIME validation and user feedback.

The imports support the security fix by enabling MIME type recalculation (getMimeTypeFromFileName), validation error display (dispatchToastMessage), and internationalized messages (getI18n).

Also applies to: 7-7, 12-12

---

68-69: LGTM! Improved naming clarity.

Renaming file to nextFile improves readability by distinguishing the original queued file from the prepared file created in onSubmit.

Also applies to: 77-78

---

85-96: Excellent security enforcement of MIME type validation.

This is the critical fix that prevents the bypass:

1. File is prepared with MIME type recalculated based on the final filename
2. Validation checks the prepared file's MIME type
3. Invalid files are rejected with a clear, internationalized error message
4. Upload is prevented and flow continues to next file

The validation correctly happens after MIME type recalculation, ensuring server-side blacklist checks cannot be bypassed by filename manipulation.

---

38-45: [Your rewritten review comment text here]
[Exactly ONE classification tag]

[dougfabris]

Hey @abhinavkrin
I've tested it out and I'm feeling its a bit annoying allowing the user to change the file extension and then not allowing him to send the file. IMO the best approach would be allowing changing the file name and we store the real file with the real extension but with the new name as the user wanted. What do you think?

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx`:
- Line 122: Remove the debug console.log call that prints errors in the
FileUploadModal component: delete the console.log(errors); statement in
FileUploadModal.tsx (the one inside the FileUploadModal component or its
render/effect) so the browser console is not polluted; if you need retained
error visibility, replace it with a proper user-facing error handler or a
debug-only logger gated by an env flag instead.
- Around line 75-78: The current check uses touchedFields.name which can be
false if the user edits the filename but doesn't blur, allowing bypass; update
the validation in the FileUploadModal to always validate the renamed
filename/type (use renamedFile.type) or at minimum validate whenever the
extension/value differs from the original (compare renamedFile.name or
renamedFile.type to the original file's values) instead of relying on
touchedFields.name; call fileUploadIsValidContentType(renamedFile.type) and, on
failure, call setError('name', { message:
t('FileUpload_MediaType_NotAccepted__type__', { type: renamedFile.type }) }) (or
use the existing invalidContentType flag) so the check runs deterministically
before submit.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6791a70 and 7ea5f03.

📒 Files selected for processing (2)

• apps/meteor/client/lib/chats/flows/uploadFiles.ts
• apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/client/lib/chats/flows/uploadFiles.ts

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx

🧬 Code graph analysis (1)

apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx (1)

apps/meteor/app/utils/lib/mimeTypes.ts (1)

• getMimeTypeFromFileName (31-31)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (3)

apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx (3)

26-28: LGTM!

Imports are correctly sourced for the new MIME type validation and file renaming functionality.

---

39-47: LGTM!

The prepareRenamedFile helper correctly handles file renaming: it preserves the original file when extensions match, and constructs a new File with the correct MIME type derived from the renamed extension when they differ.

---

60-62: LGTM!

Form state setup is appropriate. setError enables programmatic validation errors, isSubmitting correctly drives the button loading state, and default values are properly initialized from the file and description props.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx">

<violation number="1" location="apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx:75">
P2: MIME-type validation is skipped when the user renames a file and submits without blurring the field, because the guard relies on `touchedFields.name`. Compare the submitted name to the original instead of the touched state so the validation always runs when the filename changes.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 22 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/media-signaling/src/lib/Call.ts">

<violation number="1">
P2: `sentLocalSdp`/`receivedRemoteSdp` are never reset for new negotiations, so subsequent renegotiations can skip the expected client states and timeouts. Reset these flags when a new negotiation starts (e.g., when adding a negotiation or when `currentNegotiationId` changes).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}