fix(frontend): block unsupported .app uploads (#1834)

Co-authored-by: Willem Jiang <willem.jiang@gmail.com>

frontend/src/core/uploads/file-validation.test.mjs

@@ -0,0 +1,55 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import {
+  MACOS_APP_BUNDLE_UPLOAD_MESSAGE,
+  isLikelyMacOSAppBundle,
+  splitUnsupportedUploadFiles,
+} from "./file-validation.ts";
+
+test("identifies Finder-style .app bundle uploads as unsupported", () => {
+  assert.equal(
+    isLikelyMacOSAppBundle({
+      name: "Vibe Island.app",
+      type: "application/octet-stream",
+    }),
+    true,
+  );
+});
+
+test("keeps normal files and reports rejected app bundles", () => {
+  const files = [
+    new File(["demo"], "Vibe Island.app", {
+      type: "application/octet-stream",
+    }),
+    new File(["notes"], "notes.txt", { type: "text/plain" }),
+  ];
+
+  const result = splitUnsupportedUploadFiles(files);
+
+  assert.equal(result.accepted.length, 1);
+  assert.equal(result.accepted[0]?.name, "notes.txt");
+  assert.equal(result.rejected.length, 1);
+  assert.equal(result.rejected[0]?.name, "Vibe Island.app");
+  assert.equal(result.message, MACOS_APP_BUNDLE_UPLOAD_MESSAGE);
+});
+
+test("treats empty MIME .app uploads as unsupported", () => {
+  const result = splitUnsupportedUploadFiles([
+    new File(["demo"], "Another.app", { type: "" }),
+  ]);
+
+  assert.equal(result.accepted.length, 0);
+  assert.equal(result.rejected.length, 1);
+  assert.equal(result.message, MACOS_APP_BUNDLE_UPLOAD_MESSAGE);
+});
+
+test("returns no message when every file is supported", () => {
+  const result = splitUnsupportedUploadFiles([
+    new File(["notes"], "notes.txt", { type: "text/plain" }),
+  ]);
+
+  assert.equal(result.accepted.length, 1);
+  assert.equal(result.rejected.length, 0);
+  assert.equal(result.message, undefined);
+});

frontend/src/core/uploads/file-validation.ts

@@ -0,0 +1,34 @@
+const MACOS_APP_BUNDLE_CONTENT_TYPES = new Set([
+  "",
+  "application/octet-stream",
+]);
+
+export const MACOS_APP_BUNDLE_UPLOAD_MESSAGE =
+  "macOS .app bundles can't be uploaded directly from the browser. Compress the app as a .zip or upload the .dmg instead.";
+
+export function isLikelyMacOSAppBundle(file: Pick<File, "name" | "type">) {
+  return (
+    file.name.toLowerCase().endsWith(".app") &&
+    MACOS_APP_BUNDLE_CONTENT_TYPES.has(file.type)
+  );
+}
+
+export function splitUnsupportedUploadFiles(fileList: File[] | FileList) {
+  const incoming = Array.from(fileList);
+  const accepted: File[] = [];
+  const rejected: File[] = [];
+
+  for (const file of incoming) {
+    if (isLikelyMacOSAppBundle(file)) {
+      rejected.push(file);
+      continue;
+    }
+    accepted.push(file);
+  }
+
+  return {
+    accepted,
+    rejected,
+    message: rejected.length > 0 ? MACOS_APP_BUNDLE_UPLOAD_MESSAGE : undefined,
+  };
+}

frontend/src/core/uploads/index.ts

@@ -3,4 +3,5 @@
  */
 
 export * from "./api";
+export * from "./file-validation";
 export * from "./hooks";