fix: prevent req.file leak between sequential duplicate() calls on upload collections (#15620)

### What?

Prevents `req.file` from leaking between sequential
`payload.duplicate()` calls when a shared `req` object is used for
upload collections.

### Why?

When calling `payload.duplicate()` multiple times on the same `req`
object (e.g. in batch operations within a transaction), only the first
document's file was used for all subsequent duplications.
`generateFileData` writes the processed file back to `req.file`, and on
the next call `let file = req.file` was truthy, so the block that
fetches the correct source file from storage was skipped entirely.

### How?

When `isDuplicating` is true, `req.file` is now ignored so the source
file is always fetched fresh from storage for each duplicate operation.
This is a one-line change in `generateFileData.ts`:

```diff
- let file = req.file
+ let file = isDuplicating ? undefined : req.file
```

An integration test was added that creates two upload documents with
different files, duplicates both using a shared `req`, and asserts each
duplicate derives its filename from the correct source document.

Fixes #15619

Author: jhb-dev

packages/payload/src/uploads/generateFileData.ts

@@ -84,7 +84,7 @@ export const generateFileData = async <T>({
 
   const { serverURL, sharp } = req.payload.config
 
-  let file = req.file
+  let file = isDuplicating ? undefined : req.file
 
   const uploadEdits = parseUploadEditsFromReqOrIncomingData({
     data,

test/uploads/int.spec.ts

@@ -1,5 +1,5 @@
 import type { AddressInfo } from 'net'
-import type { CollectionSlug, Payload } from 'payload'
+import type { CollectionSlug, Payload, PayloadRequest } from 'payload'
 
 import { randomUUID } from 'crypto'
 import fs from 'fs'
@@ -1376,6 +1376,54 @@ describe('Collections - Uploads', () => {
 
       expect(await fileExists(path.join(expectedPath, duplicatedDoc.filename))).toBe(true)
     })
+
+    it('should not leak req.file between sequential duplicate() calls on a shared req', async () => {
+      const filePath1 = path.resolve(dirname, './image.png')
+      const file1 = await getFileByPath(filePath1)
+      file1.name = 'alpha-leak-test.png'
+
+      const filePath2 = path.resolve(dirname, './small.png')
+      const file2 = await getFileByPath(filePath2)
+      file2.name = 'bravo-leak-test.png'
+
+      const doc1 = await payload.create({
+        collection: mediaSlug,
+        data: {},
+        file: file1,
+      })
+
+      const doc2 = await payload.create({
+        collection: mediaSlug,
+        data: {},
+        file: file2,
+      })
+
+      // Use a shared req object to simulate batch operations within a transaction
+      const req = {} as PayloadRequest
+
+      const dup1 = await payload.duplicate({
+        collection: mediaSlug,
+        id: doc1.id,
+        req,
+      })
+
+      const dup2 = await payload.duplicate({
+        collection: mediaSlug,
+        id: doc2.id,
+        req,
+      })
+
+      // dup1 should derive from alpha-leak-test.png
+      expect(dup1.filename).toContain('alpha-leak-test')
+      // dup2 should derive from bravo-leak-test.png, NOT alpha-leak-test.png
+      expect(dup2.filename).toContain('bravo-leak-test')
+
+      // Clean up created docs
+      await payload.delete({ collection: mediaSlug, id: doc1.id })
+      await payload.delete({ collection: mediaSlug, id: doc2.id })
+      await payload.delete({ collection: mediaSlug, id: dup1.id })
+      await payload.delete({ collection: mediaSlug, id: dup2.id })
+    })
   })
 
   describe('serverURL handling', () => {