egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a28749b3ce842ac2f110d1f5ebe512f0396f90e
motovaultpro/backend/package.json
Eric Gullickson 183d55b0fe Security fix: Implement magic byte validation for file uploads (Fix 2) 
Fixed HIGH severity security vulnerability (CVSS 7.5) where file upload
validation relied solely on Content-Type headers, allowing malicious
files with spoofed MIME types to bypass validation.

Changes:
- Updated file-type dependency to v16.5.4 (last CommonJS version)
- Added magic byte (file signature) validation using fileTypeFromBuffer
- Read first 4100 bytes of upload to detect actual file type
- Verify detected type matches claimed Content-Type header
- Reject files where content doesn't match headers
- Enhanced logging with detected_type for audit trail

Security impact:
- Prevents .exe files renamed to .pdf from being uploaded
- Prevents Content-Type header spoofing attacks
- Validates file content at binary level, not just metadata

Status: Fix 2 complete
- Fix 1: crypto.randomBytes() ✓
- Fix 2: Magic byte validation ✓
- Fix 3: Google Maps API proxy ✓

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-14 10:06:53 -06:00

57 lines
1.7 KiB
JSON
Raw Blame History

{
"name": "motovaultpro-backend",
"version": "1.0.0",
"description": "MotoVaultPro backend with Modified Feature Capsule architecture",
"main": "dist/index.js",
"scripts": {
"dev": "nodemon --watch src --exec ts-node src/index.ts",
"build": "tsc --project tsconfig.build.json",
"start": "node dist/index.js",
"test": "jest",
"test:watch": "jest --watch",
"test:feature": "jest --testPathPattern=src/features/${npm_config_feature}",
"migrate:all": "ts-node src/_system/migrations/run-all.ts",
"migrate:feature": "ts-node src/_system/migrations/run-feature.ts",
"schema:generate": "ts-node src/_system/schema/generate.ts",
"lint": "eslint src --ext .ts"
},
"dependencies": {
"pg": "^8.11.3",
"ioredis": "^5.3.2",
"minio": "^7.1.3",
"@fastify/multipart": "^8.1.0",
"axios": "^1.6.2",
"opossum": "^8.0.0",
"winston": "^3.11.0",
"zod": "^3.22.4",
"js-yaml": "^4.1.0",
"fastify": "^4.24.3",
"@fastify/cors": "^9.0.1",
"@fastify/helmet": "^11.1.1",
"@fastify/jwt": "^8.0.0",
"@fastify/type-provider-typebox": "^4.0.0",
"@sinclair/typebox": "^0.31.28",
"fastify-plugin": "^4.5.1",
"@fastify/autoload": "^5.8.0",
"get-jwks": "^9.0.0",
"file-type": "^16.5.4"
},
"devDependencies": {
"@types/node": "^20.10.0",
"@types/pg": "^8.10.9",
"@types/js-yaml": "^4.0.9",
"typescript": "^5.6.3",
"ts-node": "^10.9.1",
"nodemon": "^3.0.1",
"jest": "^29.7.0",
"@types/jest": "^29.5.10",
"ts-jest": "^29.1.1",
"supertest": "^6.3.3",
"@types/supertest": "^2.0.16",
"@types/opossum": "^8.0.0",
"eslint": "^8.54.0",
"@typescript-eslint/eslint-plugin": "^6.12.0",
"@typescript-eslint/parser": "^6.12.0"
}
}
Reference in New Issue View Git Blame Copy Permalink