fix: metadata schema

Author: ivan-dalmet

src/lib/s3/client.ts

@@ -1,5 +1,3 @@
-import { stringify } from 'superjson';
-
 import { env } from '@/env.mjs';
 import { trpc } from '@/lib/trpc/client';
 import { RouterInputs } from '@/lib/trpc/types';
@@ -14,8 +12,7 @@ export const uploadFile = async (params: {
   try {
     const presignedUrlOutput =
       await params.trpcClient.files.uploadPresignedUrl.mutate({
-        // Metadata is a Record<string, string> but should be serialized for trpc-openapi
-        metadata: params.metadata ? stringify(params.metadata) : undefined,
+        metadata: params.metadata,
         collection: params.collection,
         type: params.file.type,
         size: params.file.size,

src/lib/s3/schemas.ts

@@ -42,11 +42,11 @@ export type UploadSignedUrlInput = z.infer<
 >;
 export const zUploadSignedUrlInput = () =>
   z.object({
-    /**
-     * Must be a string as trpc-openapi requires that attributes must be serialized
-     */
-    metadata: z.string().optional(),
-    name: z.string(),
+    metadata: z.record(z.string(), z.string()).optional(),
+    name: z
+      .string()
+      .max(255)
+      .regex(/^[^/\\]*$/), // Prevent path traversal (Coderabbitai)
     type: z.string(),
     size: z.number(),
     collection: zFilesCollectionName(),

src/server/routers/files.ts

@@ -1,5 +1,4 @@
 import { TRPCError } from '@trpc/server';
-import { parse } from 'superjson';
 
 import { FILES_COLLECTIONS_CONFIG } from '@/lib/s3/config';
 import {
@@ -44,7 +43,7 @@ export const filesRouter = createTRPCRouter({
       return await getS3UploadSignedUrl({
         key: config.getKey({ user: ctx.user }),
         metadata: input.metadata
-          ? { name: input.name, ...parse(input.metadata) }
+          ? { name: input.name, ...input.metadata }
           : undefined,
       });
     }),