Go to file

Eric Gullickson 183d55b0fe Security fix: Implement magic byte validation for file uploads (Fix 2)

Fixed HIGH severity security vulnerability (CVSS 7.5) where file upload
validation relied solely on Content-Type headers, allowing malicious
files with spoofed MIME types to bypass validation.

Changes:
- Updated file-type dependency to v16.5.4 (last CommonJS version)
- Added magic byte (file signature) validation using fileTypeFromBuffer
- Read first 4100 bytes of upload to detect actual file type
- Verify detected type matches claimed Content-Type header
- Reject files where content doesn't match headers
- Enhanced logging with detected_type for audit trail

Security impact:
- Prevents .exe files renamed to .pdf from being uploaded
- Prevents Content-Type header spoofing attacks
- Validates file content at binary level, not just metadata

Status: Fix 2 complete
- Fix 1: crypto.randomBytes() ✓
- Fix 2: Magic byte validation ✓
- Fix 3: Google Maps API proxy ✓

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2025-12-14 10:06:53 -06:00

.ai

Redesign

2025-11-01 21:27:42 -05:00

.claude

Updates to database and API for dropdowns.

2025-11-11 10:29:02 -06:00

.github

Homepage Redesign

2025-11-03 14:06:54 -06:00

.playwright-mcp

Agentic AI Implementation

2025-10-10 23:26:07 -05:00

backend

Security fix: Implement magic byte validation for file uploads (Fix 2)

2025-12-14 10:06:53 -06:00

certs

Working React 19 before Compiler integration

2025-08-23 16:46:31 -05:00

config/app

Docs Cleanup

2025-11-03 16:12:29 -06:00

data

Updates to database and API for dropdowns.

2025-11-11 10:29:02 -06:00

docs

Updates to database and API for dropdowns.

2025-11-11 10:29:02 -06:00

frontend

Security fix: Implement Google Maps API photo proxy (Fix 3)

2025-12-14 09:56:33 -06:00

scripts

Make/Model Data Loading

2025-11-07 13:51:47 -06:00

secrets

Redesign

2025-11-01 21:27:42 -05:00

.gitignore

Updates to database and API for dropdowns.

2025-11-11 10:29:02 -06:00

AI-INDEX.md

Stuff

2025-11-04 18:38:06 -06:00

AUDIT.md

Add comprehensive software audit report

2025-12-13 20:50:04 -06:00

BULK-DELETE-ENDPOINT-DOCS.md

Admin Page work - Still blank/broken

2025-11-06 16:29:11 -06:00

CLAUDE.md

Almost ready

2025-11-08 15:34:29 -06:00

docker-compose.yml

Google Maps Bug

2025-11-08 12:17:29 -06:00

Makefile

Pre-web changes

2025-11-05 11:04:48 -06:00

motovaultpro_mobile_v2.jsx

MVP with new UX

2025-08-09 17:45:54 -05:00

package-lock.json

Admin User v1

2025-11-05 19:04:06 -06:00

package.json

Admin User v1

2025-11-05 19:04:06 -06:00

README.md

Stuff

2025-11-04 18:38:06 -06:00

SECURITY-FIXES.md

Security fixes: Implement P0 critical vulnerability remediations

2025-12-14 09:49:05 -06:00

README.md

MotoVaultPro — Simplified Architecture

Simplified 5-container architecture with integrated platform feature.

Requirements

Mobile + Desktop: Implement and test every feature on both.
Docker-first, production-only: All testing and validation in containers.
See CLAUDE.md for development partnership guidelines.

Quick Start (containers)

make setup    # build + start + migrate (uses mvp-* containers)
make start    # start 5 services
make rebuild  # rebuild on changes
make logs     # tail all logs
make migrate  # run DB migrations

Documentation

AI quickload: AI-INDEX.md
Docs hub: docs/README.md
Features: backend/src/features/{name}/README.md
Frontend: frontend/README.md
Backend core: backend/src/core/README.md

URLs and Hosts

Frontend: https://motovaultpro.com
Backend health: https://motovaultpro.com/api/health

Languages

TypeScript 80.5%

Python 15%

Shell 2.3%

PLpgSQL 1.3%

JavaScript 0.4%

Other 0.4%