Overview
src/workers/processors/media-processing.worker.ts and the CDN upload endpoint do not validate file size limits or enforce allowed MIME types beyond what the client declares in the Content-Type header. An attacker can upload arbitrarily large files or files with disguised MIME types (e.g. a PHP script named video.mp4).
Specifications
Features:
- Enforce max file size (configurable, default 500MB for video, 10MB for images).
- Validate actual file magic bytes against the declared MIME type.
Tasks:
- Add
multer limits (fileSize) or manual Content-Length check in the upload endpoint.
- Use
file-type package to inspect magic bytes and compare to expected MIME.
- Reject mismatched files with 415 Unsupported Media Type.
- Add unit tests for oversized files and MIME mismatch.
Impacted Files:
src/cdn/cdn.service.ts
src/cdn/dto/upload-content.dto.ts
Acceptance Criteria
- Upload of a file exceeding the size limit returns 413.
- File with wrong magic bytes returns 415.
- Valid uploads continue to work.
Overview
src/workers/processors/media-processing.worker.tsand the CDN upload endpoint do not validate file size limits or enforce allowed MIME types beyond what the client declares in theContent-Typeheader. An attacker can upload arbitrarily large files or files with disguised MIME types (e.g. a PHP script namedvideo.mp4).Specifications
Features:
Tasks:
multerlimits (fileSize) or manualContent-Lengthcheck in the upload endpoint.file-typepackage to inspect magic bytes and compare to expected MIME.Impacted Files:
src/cdn/cdn.service.tssrc/cdn/dto/upload-content.dto.tsAcceptance Criteria