fix(tables): guard sync import overlap, scope fileKey to workspace, delete-on-replace after download

Author: TheodoreSpeaks

apps/sim/app/api/table/[tableId]/import-async/route.ts

@@ -41,6 +41,11 @@ export const POST = withRouteHandler(async (request: NextRequest, { params }: Ro
   if (table.workspaceId !== workspaceId) {
     return NextResponse.json({ error: 'Invalid workspace ID' }, { status: 400 })
   }
+  // The fileKey is client-supplied — ensure it points at this workspace's storage prefix so a
+  // caller can't import another workspace's uploaded object.
+  if (!fileKey.startsWith(`workspace/${workspaceId}/`)) {
+    return NextResponse.json({ error: 'Invalid file key for workspace' }, { status: 400 })
+  }
   if (table.archivedAt) {
     return NextResponse.json({ error: 'Cannot import into an archived table' }, { status: 400 })
   }

apps/sim/app/api/table/[tableId]/import/route.ts

@@ -128,6 +128,14 @@ export const POST = withRouteHandler(async (request: NextRequest, { params }: Ro
     if (table.archivedAt) {
       return NextResponse.json({ error: 'Cannot import into an archived table' }, { status: 400 })
     }
+    // Don't run a sync import on top of an in-flight background import — concurrent writers
+    // would insert at colliding row positions.
+    if (table.importStatus === 'importing') {
+      return NextResponse.json(
+        { error: 'An import is already in progress for this table' },
+        { status: 409 }
+      )
+    }
 
     let mapping: CsvHeaderMapping | undefined
     if (fields.mapping) {

apps/sim/app/api/table/import-async/route.ts

@@ -40,6 +40,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
   if (permission !== 'write' && permission !== 'admin') {
     return NextResponse.json({ error: 'Access denied' }, { status: 403 })
   }
+  // The fileKey is client-supplied — ensure it points at this workspace's storage prefix so a
+  // caller can't import another workspace's uploaded object.
+  if (!fileKey.startsWith(`workspace/${workspaceId}/`)) {
+    return NextResponse.json({ error: 'Invalid file key for workspace' }, { status: 400 })
+  }
 
   const ext = fileName.split('.').pop()?.toLowerCase()
   if (ext !== 'csv' && ext !== 'tsv') {

apps/sim/lib/table/import-runner.ts

@@ -70,10 +70,12 @@ export async function runTableImport(payload: TableImportPayload): Promise<void>
     if (!loaded) throw new Error(`Import target table ${tableId} not found`)
     const table = loaded
 
-    if (mode === 'replace') await deleteAllTableRows(tableId)
-
     const buffer = await downloadFile({ key: fileKey, context: 'workspace' })
 
+    // Delete only after the download succeeds — otherwise a failed download would wipe the
+    // table with nothing to replace it with.
+    if (mode === 'replace') await deleteAllTableRows(tableId)
+
     // Estimate total data rows by counting line breaks (minus the header) for a
     // determinate progress bar. It's an estimate — quoted newlines and blank lines
     // make it imprecise — so the client caps the bar below 100% until the terminal