Eric Gullickson
183d55b0fe
Security fix: Implement magic byte validation for file uploads (Fix 2)
Fixed HIGH severity security vulnerability (CVSS 7.5) where file upload
validation relied solely on Content-Type headers, allowing malicious
files with spoofed MIME types to bypass validation.
Changes:
- Updated file-type dependency to v16.5.4 (last CommonJS version)
- Added magic byte (file signature) validation using fileTypeFromBuffer
- Read first 4100 bytes of upload to detect actual file type
- Verify detected type matches claimed Content-Type header
- Reject files where content doesn't match headers
- Enhanced logging with detected_type for audit trail
Security impact:
- Prevents .exe files renamed to .pdf from being uploaded
- Prevents Content-Type header spoofing attacks
- Validates file content at binary level, not just metadata
Status: Fix 2 complete
- Fix 1: crypto.randomBytes() ✓
- Fix 2: Magic byte validation ✓
- Fix 3: Google Maps API proxy ✓
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-14 10:06:53 -06:00
..
2025-11-07 13:51:47 -06:00
2025-11-08 12:17:29 -06:00
2025-12-14 10:06:53 -06:00
2025-09-17 16:09:15 -05:00
2025-11-05 19:04:06 -06:00
2025-09-28 20:35:46 -05:00