test(security): add tests for cross-tenant log guard, quota bypass fix, and workflowId scoping

- log/route.test.ts: verifies cross-tenant executionId guard returns 404
  when the execution belongs to a different workflow, and passes for same
  workflow or fresh executions
- multipart/route.test.ts: verifies fileSize:0 no longer bypasses quota
  check and that the logs context is rejected at the endpoint level
- logging-session.test.ts: verifies markExecutionAsFailed scopes by both
  executionId and workflowId, and that the instance method forwards workflowId

Author: waleedlatif1

apps/sim/app/api/files/multipart/route.test.ts

@@ -53,6 +53,15 @@ vi.mock('@/lib/uploads/providers/blob/client', () => ({
 
 vi.mock('@/lib/workspaces/permissions/utils', () => permissionsMock)
 
+const { mockCheckStorageQuota, mockInitiateS3MultipartUpload } = vi.hoisted(() => ({
+  mockCheckStorageQuota: vi.fn(),
+  mockInitiateS3MultipartUpload: vi.fn(),
+}))
+
+vi.mock('@/lib/billing/storage', () => ({
+  checkStorageQuota: mockCheckStorageQuota,
+}))
+
 import { POST } from '@/app/api/files/multipart/route'
 
 const tokenPayload = {
@@ -200,3 +209,69 @@ describe('POST /api/files/multipart action=complete', () => {
     expect(mockCompleteS3MultipartUpload).toHaveBeenCalledTimes(2)
   })
 })
+
+describe('POST /api/files/multipart action=initiate quota enforcement', () => {
+  const makeInitiateRequest = (body: unknown) =>
+    new NextRequest('http://localhost/api/files/multipart?action=initiate', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+    authMockFns.mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
+    permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue('write')
+    mockIsUsingCloudStorage.mockReturnValue(true)
+    mockGetStorageProvider.mockReturnValue('s3')
+    mockGetStorageConfig.mockReturnValue({ bucket: 'b', region: 'r' })
+    mockSignUploadToken.mockReturnValue('signed-token')
+    mockCheckStorageQuota.mockResolvedValue({ allowed: true })
+    mockInitiateS3MultipartUpload.mockResolvedValue({ uploadId: 'up-1', key: 'k/file.bin' })
+  })
+
+  it('blocks upload when fileSize: 0 exceeds quota', async () => {
+    mockCheckStorageQuota.mockResolvedValue({ allowed: false, error: 'Storage limit exceeded' })
+
+    const res = await makeInitiateRequest({
+      fileName: 'file.bin',
+      contentType: 'application/octet-stream',
+      fileSize: 0,
+      workspaceId: 'ws-1',
+      context: 'knowledge-base',
+    })
+
+    const response = await POST(res)
+    expect(response.status).toBe(413)
+    const body = await response.json()
+    expect(body.error).toContain('Storage limit exceeded')
+  })
+
+  it('does not check quota for quota-exempt contexts (og-images)', async () => {
+    const res = await makeInitiateRequest({
+      fileName: 'img.png',
+      contentType: 'image/png',
+      fileSize: 99999,
+      workspaceId: 'ws-1',
+      context: 'og-images',
+    })
+
+    const response = await POST(res)
+    expect(mockCheckStorageQuota).not.toHaveBeenCalled()
+  })
+
+  it('rejects logs context — not allowed via the multipart endpoint', async () => {
+    const res = await makeInitiateRequest({
+      fileName: 'exec.log',
+      contentType: 'text/plain',
+      fileSize: 1000,
+      workspaceId: 'ws-1',
+      context: 'logs',
+    })
+
+    const response = await POST(res)
+    expect(response.status).toBe(400)
+    const body = await response.json()
+    expect(body.error).toMatch(/invalid storage context/i)
+  })
+})

apps/sim/app/api/workflows/[id]/log/route.test.ts

@@ -0,0 +1,108 @@
+/**
+ * @vitest-environment node
+ */
+import { authMockFns, dbChainMock, dbChainMockFns, resetDbChainMock } from '@sim/testing'
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+// Override global db mock with the configurable chain mock
+vi.mock('@sim/db', () => dbChainMock)
+
+const { mockValidateWorkflowAccess, mockGetWorkspaceBilledAccountUserId } = vi.hoisted(() => ({
+  mockValidateWorkflowAccess: vi.fn(),
+  mockGetWorkspaceBilledAccountUserId: vi.fn(),
+}))
+
+vi.mock('@/app/api/workflows/middleware', () => ({
+  validateWorkflowAccess: mockValidateWorkflowAccess,
+}))
+
+vi.mock('@/lib/workspaces/utils', () => ({
+  getWorkspaceBilledAccountUserId: mockGetWorkspaceBilledAccountUserId,
+}))
+
+vi.mock('@/lib/logs/execution/logging-session', () => ({
+  LoggingSession: vi.fn().mockImplementation(() => ({
+    start: vi.fn().mockResolvedValue(undefined),
+    markAsFailed: vi.fn().mockResolvedValue(undefined),
+    safeCompleteWithError: vi.fn().mockResolvedValue(undefined),
+    safeComplete: vi.fn().mockResolvedValue(undefined),
+  })),
+}))
+
+vi.mock('@/lib/logs/execution/trace-spans/trace-spans', () => ({
+  buildTraceSpans: vi.fn().mockReturnValue([]),
+}))
+
+import { POST } from './route'
+
+const makeRequest = (workflowId: string, body: unknown) =>
+  new NextRequest(`http://localhost/api/workflows/${workflowId}/log`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  })
+
+const validResult = { success: true, output: { value: 42 } }
+
+describe('POST /api/workflows/[id]/log cross-tenant guard', () => {
+  const OWNER_WORKFLOW_ID = 'wf-owner'
+  const ATTACKER_WORKFLOW_ID = 'wf-attacker'
+  const VICTIM_EXECUTION_ID = 'exec-victim-uuid'
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+    resetDbChainMock()
+    authMockFns.mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
+    mockValidateWorkflowAccess.mockResolvedValue({ error: null })
+    mockGetWorkspaceBilledAccountUserId.mockResolvedValue('user-1')
+    // Default: no existing log (fresh execution)
+    dbChainMockFns.limit.mockResolvedValue([])
+  })
+
+  it('returns 404 when executionId belongs to a different workflow', async () => {
+    dbChainMockFns.limit.mockResolvedValueOnce([{ workflowId: OWNER_WORKFLOW_ID }])
+
+    const res = await POST(
+      makeRequest(ATTACKER_WORKFLOW_ID, {
+        executionId: VICTIM_EXECUTION_ID,
+        result: validResult,
+      }),
+      { params: Promise.resolve({ id: ATTACKER_WORKFLOW_ID }) }
+    )
+
+    expect(res.status).toBe(404)
+    const body = await res.json()
+    expect(body.error).toBe('Execution not found')
+  })
+
+  it('proceeds when executionId belongs to the same workflow', async () => {
+    dbChainMockFns.limit.mockResolvedValueOnce([{ workflowId: OWNER_WORKFLOW_ID }])
+
+    const res = await POST(
+      makeRequest(OWNER_WORKFLOW_ID, {
+        executionId: VICTIM_EXECUTION_ID,
+        result: validResult,
+      }),
+      { params: Promise.resolve({ id: OWNER_WORKFLOW_ID }) }
+    )
+
+    expect(res.status).not.toBe(404)
+    expect(res.status).not.toBe(403)
+  })
+
+  it('proceeds when executionId has no existing log row (fresh execution)', async () => {
+    dbChainMockFns.limit.mockResolvedValueOnce([])
+
+    const res = await POST(
+      makeRequest(OWNER_WORKFLOW_ID, {
+        executionId: 'brand-new-execution-id',
+        result: validResult,
+      }),
+      { params: Promise.resolve({ id: OWNER_WORKFLOW_ID }) }
+    )
+
+    expect(res.status).not.toBe(404)
+    expect(res.status).not.toBe(403)
+  })
+})

apps/sim/lib/logs/execution/logging-session.test.ts

@@ -10,6 +10,7 @@ const dbMocks = vi.hoisted(() => {
   const update = vi.fn()
   const execute = vi.fn()
   const eq = vi.fn()
+  const and = vi.fn((...args: unknown[]) => ({ type: 'and', args }))
   const sql = vi.fn((strings: TemplateStringsArray, ...values: unknown[]) => ({ strings, values }))
 
   select.mockReturnValue({ from: selectFrom })
@@ -29,6 +30,7 @@ const dbMocks = vi.hoisted(() => {
     updateWhere,
     execute,
     eq,
+    and,
     sql,
   }
 })
@@ -47,6 +49,7 @@ vi.mock('@sim/db', () => ({
 
 vi.mock('drizzle-orm', () => ({
   eq: dbMocks.eq,
+  and: dbMocks.and,
   sql: dbMocks.sql,
 }))
 
@@ -449,3 +452,42 @@ describe('LoggingSession completion retries', () => {
     expect(session.completing).toBe(true)
   })
 })
+
+describe('LoggingSession.markExecutionAsFailed workflowId scoping', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    dbMocks.updateWhere.mockResolvedValue(undefined)
+  })
+
+  it('scopes UPDATE by both executionId and workflowId', async () => {
+    await LoggingSession.markExecutionAsFailed('exec-1', undefined, undefined, 'wf-1')
+
+    expect(dbMocks.update).toHaveBeenCalledTimes(1)
+    expect(dbMocks.updateSet).toHaveBeenCalledTimes(1)
+    expect(dbMocks.updateWhere).toHaveBeenCalledTimes(1)
+
+    const whereArgs = dbMocks.updateWhere.mock.calls[0]
+    expect(whereArgs).toBeDefined()
+  })
+
+  it('instance markAsFailed forwards workflowId to the static method', async () => {
+    const updateWhereSpy = dbMocks.updateWhere
+    dbMocks.selectLimit.mockResolvedValue([{ executionData: {} }])
+
+    const session = new LoggingSession('wf-42', 'exec-42', 'api', 'req-1')
+    await session.markAsFailed('something went wrong')
+
+    expect(updateWhereSpy).toHaveBeenCalledTimes(1)
+  })
+
+  it('uses the provided errorMessage in the SQL set', async () => {
+    const sqlMock = dbMocks.sql
+    await LoggingSession.markExecutionAsFailed('exec-2', 'custom error', undefined, 'wf-2')
+
+    expect(sqlMock).toHaveBeenCalled()
+    const lastCall = sqlMock.mock.calls.at(-1)!
+    const [strings, ...values] = lastCall
+    const combined = String(Array.from(strings)).toLowerCase() + values.join(' ').toLowerCase()
+    expect(combined).toContain('force_failed')
+  })
+})