Eric Gullickson
183d55b0fe
Security fix: Implement magic byte validation for file uploads (Fix 2)
Fixed HIGH severity security vulnerability (CVSS 7.5) where file upload
validation relied solely on Content-Type headers, allowing malicious
files with spoofed MIME types to bypass validation.
Changes:
- Updated file-type dependency to v16.5.4 (last CommonJS version)
- Added magic byte (file signature) validation using fileTypeFromBuffer
- Read first 4100 bytes of upload to detect actual file type
- Verify detected type matches claimed Content-Type header
- Reject files where content doesn't match headers
- Enhanced logging with detected_type for audit trail
Security impact:
- Prevents .exe files renamed to .pdf from being uploaded
- Prevents Content-Type header spoofing attacks
- Validates file content at binary level, not just metadata
Status: Fix 2 complete
- Fix 1: crypto.randomBytes() ✓
- Fix 2: Magic byte validation ✓
- Fix 3: Google Maps API proxy ✓
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-14 10:06:53 -06:00
..
2025-12-14 09:56:33 -06:00
2025-12-14 10:06:53 -06:00
2025-11-04 18:38:06 -06:00
2025-11-04 18:38:06 -06:00
2025-11-11 10:29:02 -06:00
2025-12-14 09:56:33 -06:00
2025-11-11 10:29:02 -06:00