Skip to content

fix(uploader): reject filenames with characters that break upload signature#406

Closed
tylere wants to merge 2 commits into
mainfrom
claude/issue-405-20260701-0014
Closed

fix(uploader): reject filenames with characters that break upload signature#406
tylere wants to merge 2 commits into
mainfrom
claude/issue-405-20260701-0014

Conversation

@tylere

@tylere tylere commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Uploading a filename containing !, ', (, ), or * fails with a cryptic "Error: signature mismatch". The storage proxy's SigV4 signature verification doesn't handle those characters the way S3 does (an external service, outside this repo, so the signing bug itself can't be fixed here).
  • This implements the issue's other acceptable behavior instead: reject those filenames up front with a clear, actionable error rather than failing deep inside the upload.
  • UploadQueueManager.process() now marks any queued item whose key contains those characters as error with an explanatory message. Both upload entry points (drag-and-drop and the file picker) funnel through this same queue, so the check applies uniformly.

Test plan

  • Added upload-queue-manager.test.ts covering the rejection and the unaffected happy path.
  • Could not run npm test / npm run lint in this sandbox (no node_modules, no permission to install dependencies) - please run before merging.

Closes #405

Generated with Claude Code

…ure check

The storage proxy verifies each upload's SigV4 signature, but its
verification mismatches on !, ', (, ), and * in the object key (the browser's
encodeURIComponent leaves them un-escaped), surfacing as a cryptic "Error:
signature mismatch" deep inside the upload. Reject these up front in the
queue with an actionable error instead of attempting — and failing — the
upload.

Closes #405

Co-authored-by: Tyler Erickson <tylere@users.noreply.github.com>
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
source-cooperative Ready Ready Preview, Comment Jul 1, 2026 12:50am

Request Review

@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Claude finished @tylere's task in 1m 45s —— View job


I'll analyze this and get back to you.

@tylere

tylere commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Space characters also seem to cause the error:

Image

Also it is not clear how to remove the messages for the uploads that failed, even after a subsequent successful upload. Do the messages eventually disappear?

@tylere

tylere commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@claude incorporate the last comment

@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Claude finished @tylere's task in 6m 23s —— View job


Done ✅

Incorporated your feedback from the last comment:

  • Investigated why spaces trigger the error — confirmed same root cause: the storage proxy's SigV4 signature check mismatches on spaces just like !'()*
  • Investigated why failed-upload messages stick around — DirectoryRow (the file listing) shows an upload's progress/error until it's removed from the in-memory queue, but there was no per-row control to dismiss an error. The only "Clear Errors" button lives in a floating notification widget that hides itself once nothing is actively uploading, so it was effectively unreachable once everything had errored out
  • Reject filenames containing spaces (extended UNSUPPORTED_KEY_CHARS and the error message)
  • Added a "Dismiss" button next to "Retry" on errored uploads in the file listing, wired through a new UploadQueueManager.remove(id) / removeUpload — so a stuck error message can be cleared right where you see it, without waiting for it to "disappear" (it never did)
  • Added tests for space rejection and remove()
  • Committed and pushed to this branch

Answering directly: no, the error messages don't disappear on their own — they stay until the item is removed from the queue. Now you can click the new dismiss (✕) icon next to the retry icon on any errored file to clear it immediately.

One thing I noticed but did not change: the character check runs against the full upload key (folder path + filename), not just the filename. If an existing folder's name happens to contain a space, uploads into it will still be rejected with a message that says "in filename" even though the space is in the folder name. That upload would have failed with the old cryptic signature error either way (SigV4 signs the whole path), so this isn't a new regression — just imprecise wording in an edge case. Flagging it in case it's worth a follow-up.

Couldn't run npm test / npm run lint in this sandbox (no permissions to install/run them) — please run before merging.

…errors

Spaces trigger the same storage-proxy signature mismatch as !'()* — reject
them up front too. Also add a per-item dismiss control in the file listing
so an errored upload's message doesn't stay stuck forever with no way to
clear it (the only prior clear-errors control lives in a notification
widget that hides itself once nothing is actively uploading).

Co-authored-by: Tyler Erickson <tylere@users.noreply.github.com>

@alukach alukach left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's some thought in us guiding towards uploads-best-practices on the frontend (#288) but I think this is a legitimate bug that should be fixed on data.source.coop


UPDATE: This has been fixed by source-cooperative/data.source.coop#176

@alukach alukach closed this Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] "Error: signature mismatch" when uploading file with parenthesis in filename

2 participants