Skip to content

Add content-length validation and file type enforcement for media uploads #850

Description

@RUKAYAT-CODER

Overview

src/workers/processors/media-processing.worker.ts and the CDN upload endpoint do not validate file size limits or enforce allowed MIME types beyond what the client declares in the Content-Type header. An attacker can upload arbitrarily large files or files with disguised MIME types (e.g. a PHP script named video.mp4).

Specifications

Features:

  • Enforce max file size (configurable, default 500MB for video, 10MB for images).
  • Validate actual file magic bytes against the declared MIME type.

Tasks:

  • Add multer limits (fileSize) or manual Content-Length check in the upload endpoint.
  • Use file-type package to inspect magic bytes and compare to expected MIME.
  • Reject mismatched files with 415 Unsupported Media Type.
  • Add unit tests for oversized files and MIME mismatch.

Impacted Files:

  • src/cdn/cdn.service.ts
  • src/cdn/dto/upload-content.dto.ts

Acceptance Criteria

  • Upload of a file exceeding the size limit returns 413.
  • File with wrong magic bytes returns 415.
  • Valid uploads continue to work.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions