-
-
Notifications
You must be signed in to change notification settings - Fork 18
feat: allow skipping magic numbers validation for image uploads in company info controller #1586
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -515,7 +515,7 @@ export class CompanyInfoController { | |
| @SlugUuid('companyId') companyId: string, | ||
| @UploadedFile( | ||
| new ParseFilePipeBuilder() | ||
| .addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ }) | ||
| .addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true }) | ||
| .addMaxSizeValidator({ maxSize: Constants.MAX_COMPANY_LOGO_SIZE }) | ||
| .build({ errorHttpStatusCode: HttpStatus.UNPROCESSABLE_ENTITY }), | ||
| ) | ||
|
|
@@ -567,7 +567,7 @@ export class CompanyInfoController { | |
| @SlugUuid('companyId') companyId: string, | ||
| @UploadedFile( | ||
| new ParseFilePipeBuilder() | ||
| .addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ }) | ||
| .addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true }) | ||
|
||
| .addMaxSizeValidator({ maxSize: Constants.MAX_COMPANY_FAVICON_SIZE }) | ||
| .build({ errorHttpStatusCode: HttpStatus.UNPROCESSABLE_ENTITY }), | ||
| ) | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting
skipMagicNumbersValidation: trueon the image upload FileTypeValidator weakens server-side file validation and makes the check rely primarily on the client-provided mimetype (which can be spoofed). Since the upload use case persistsfile.bufferas-is and later returns it to clients alongsidemimeType, this can allow non-image payloads to be stored and served asimage/*. Consider keeping magic-number validation enabled for binary image types (png/jpeg) and handling problematic types (e.g. svg) with a dedicated validator/sanitization step instead of disabling signature validation globally.