chore(security): tighten inline comments in CSV export and KB file authorization

Condense verbose comment blocks to concise TSDoc/single-line form; no behavior change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/files/authorization.test.ts

@@ -67,8 +67,7 @@ describe('verifyKBFileAccess', () => {
   })
 
   it('denies access via an external URL that merely contains the key as a substring', async () => {
-    // The demonstrated PoC: a planted document whose fileUrl is an unrelated
-    // external URL containing the victim key. It must never authorize storage.
+    // PoC: a planted external URL containing the victim key must never authorize storage.
     dbChainMockFns.limit.mockResolvedValueOnce([
       {
         workspaceId: 'ws-attacker',
@@ -83,8 +82,7 @@ describe('verifyKBFileAccess', () => {
   })
 
   it('denies a later document planted in another workspace (ownership pins to earliest doc)', async () => {
-    // db query orders by uploadedAt asc, so the owning (victim) document comes
-    // first; the attacker's later internal-URL document must not grant access.
+    // Ordered by uploadedAt asc: the victim owns the key, so the attacker's later doc is ignored.
     dbChainMockFns.limit.mockResolvedValueOnce([
       { workspaceId: 'ws-victim', fileUrl: internalUrlFor(VICTIM_KEY) },
       { workspaceId: 'ws-attacker', fileUrl: internalUrlFor(VICTIM_KEY) },
@@ -142,8 +140,7 @@ describe('verifyKBFileAccess', () => {
   })
 
   it('does not let a later workspace document override a null-workspace owner', async () => {
-    // The earliest (owning) document belongs to a workspace-less KB; a later
-    // document planted in the attacker's workspace must not become the owner.
+    // Earliest owner has no workspace; a later attacker-workspace doc must not become owner.
     dbChainMockFns.limit.mockResolvedValueOnce([
       { workspaceId: null, fileUrl: internalUrlFor(VICTIM_KEY) },
       { workspaceId: 'ws-attacker', fileUrl: internalUrlFor(VICTIM_KEY) },

apps/sim/app/api/files/authorization.ts

@@ -412,9 +412,7 @@ async function verifyKBFileAccess(
   customConfig?: StorageConfig
 ): Promise<boolean> {
   try {
-    // The `LIKE` predicate only narrows candidates cheaply; it never decides
-    // authorization. Ordering by `uploadedAt` lets us pin ownership to the
-    // earliest document, which is the one the file was originally uploaded for.
+    // LIKE only narrows candidates; ownership is decided below, pinned to the earliest upload.
     const candidateDocuments = await db
       .select({
         workspaceId: knowledgeBase.workspaceId,
@@ -437,12 +435,8 @@ async function verifyKBFileAccess(
       .orderBy(asc(document.uploadedAt))
       .limit(50)
 
-    // The owner is the earliest document whose fileUrl resolves to EXACTLY this
-    // storage key. Substring-only matches (e.g. an external URL that happens to
-    // contain the key) and documents in other workspaces that merely reference
-    // the key do not establish ownership. Pinning to the earliest match means a
-    // later document planted in the caller's own workspace can never authorize
-    // access to a file another workspace originally uploaded.
+    // Owner is the earliest document whose fileUrl resolves to EXACTLY this key; substring
+    // matches and cross-workspace references never establish ownership.
     const owningDocument = candidateDocuments.find(
       (doc) => resolveInternalKbKey(doc.fileUrl) === cloudKey
     )
@@ -477,9 +471,7 @@ async function verifyKBFileAccess(
       return false
     }
 
-    // KB file access must resolve through an active KB document that canonically
-    // owns the key. Metadata alone is not enough because parent archives
-    // intentionally keep the underlying file bytes around for history.
+    // No owning document: metadata only lets us flag the deleted-file case; it never grants access.
     const fileRecord = await getFileMetadataByKey(cloudKey, 'knowledge-base', {
       includeDeleted: true,
     })

apps/sim/app/api/table/[tableId]/export/route.ts

@@ -114,19 +114,16 @@ function sanitizeFilename(name: string): string {
 }
 
 /**
- * Prefixes a single quote to values that spreadsheet applications would otherwise
- * interpret as formulas, preventing CSV formula injection when an exported file is
- * opened in Excel, LibreOffice, or Google Sheets. JSON exports preserve raw values.
+ * Prefixes a single quote to values starting with a spreadsheet formula trigger
+ * (`=`, `+`, `-`, `@`, tab, CR), neutralizing CSV injection in Excel/Sheets.
  */
 function neutralizeCsvFormula(value: string): string {
   return /^[=+\-@\t\r]/.test(value) ? `'${value}` : value
 }
 
 /**
- * Serializes a cell for CSV output. Only string cells are run through
- * {@link neutralizeCsvFormula}: numbers, booleans, dates, and JSON-serialized
- * objects can never stringify into a spreadsheet formula trigger, so they are
- * emitted verbatim to preserve fidelity (e.g. negative numbers stay numeric).
+ * Serializes a cell for CSV. Only string cells are formula-neutralized; numbers,
+ * booleans, dates, and JSON objects can never form a trigger and pass through verbatim.
  */
 function formatCsvValue(value: unknown): string {
   if (value === null || value === undefined) return ''