Security Vulnerabilities in User Search API and File Upload

While reviewing the project, I found the following security concerns:

### 1. Sensitive fields exposed in public search API

The search endpoint returns internal identity fields such as `passwordHash`, `securityStamp`, and `concurrencyStamp`.

<img width="540" height="157" alt="Image" src="https://github.com/user-attachments/assets/35dff4a4-e55e-4af6-8f50-dc233f1378c4" />

**Risk:** Sensitive authentication data exposure.
**Fix:** Return a sanitized DTO with only public fields.

---

### 2. No file size limit on profile image upload

There is no maximum upload size enforced.

**Risk:** Possible DoS via large file uploads.
**Fix:** Add strict size limits and optionally rate limiting.

---

### 3. No validation of uploaded file type

No validation for file extension, MIME type, or file signature.

**Risk:** Malicious file upload (e.g., JS or executable files).
**Fix:** Enforce allow-list validation and verify file signatures.

---

I’d be happy to submit a PR addressing these issues if approved.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Vulnerabilities in User Search API and File Upload #121

1. Sensitive fields exposed in public search API

2. No file size limit on profile image upload

3. No validation of uploaded file type

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security Vulnerabilities in User Search API and File Upload #121

Description

1. Sensitive fields exposed in public search API

2. No file size limit on profile image upload

3. No validation of uploaded file type

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions