183d55b0fe
Fixed HIGH severity security vulnerability (CVSS 7.5) where file upload validation relied solely on Content-Type headers, allowing malicious files with spoofed MIME types to bypass validation. Changes: - Updated file-type dependency to v16.5.4 (last CommonJS version) - Added magic byte (file signature) validation using fileTypeFromBuffer - Read first 4100 bytes of upload to detect actual file type - Verify detected type matches claimed Content-Type header - Reject files where content doesn't match headers - Enhanced logging with detected_type for audit trail Security impact: - Prevents .exe files renamed to .pdf from being uploaded - Prevents Content-Type header spoofing attacks - Validates file content at binary level, not just metadata Status: Fix 2 complete - Fix 1: crypto.randomBytes() ✓ - Fix 2: Magic byte validation ✓ - Fix 3: Google Maps API proxy ✓ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1.7 KiB
1.7 KiB