Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions backend/src/entities/company-info/company-info.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -515,7 +515,7 @@ export class CompanyInfoController {
@SlugUuid('companyId') companyId: string,
@UploadedFile(
new ParseFilePipeBuilder()
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ })
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true })

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting skipMagicNumbersValidation: true on the image upload FileTypeValidator weakens server-side file validation and makes the check rely primarily on the client-provided mimetype (which can be spoofed). Since the upload use case persists file.buffer as-is and later returns it to clients alongside mimeType, this can allow non-image payloads to be stored and served as image/*. Consider keeping magic-number validation enabled for binary image types (png/jpeg) and handling problematic types (e.g. svg) with a dedicated validator/sanitization step instead of disabling signature validation globally.

Suggested change
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true })
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ })

Copilot uses AI. Check for mistakes.
.addMaxSizeValidator({ maxSize: Constants.MAX_COMPANY_LOGO_SIZE })
.build({ errorHttpStatusCode: HttpStatus.UNPROCESSABLE_ENTITY }),
)
Expand Down Expand Up @@ -567,7 +567,7 @@ export class CompanyInfoController {
@SlugUuid('companyId') companyId: string,
@UploadedFile(
new ParseFilePipeBuilder()
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ })
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true })

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same concern here: disabling magic-number/signature validation for favicon uploads makes it possible to upload arbitrary bytes while claiming an image/* mimetype. If this was added to work around SVG/favicon detection issues, it would be safer to keep signature validation for png/jpeg and apply a separate allowlist + sanitization/validation path for formats that can’t be reliably magic-checked.

Copilot uses AI. Check for mistakes.
.addMaxSizeValidator({ maxSize: Constants.MAX_COMPANY_FAVICON_SIZE })
.build({ errorHttpStatusCode: HttpStatus.UNPROCESSABLE_ENTITY }),
)
Expand Down
Loading