Skip to content

fix(common): introduce magic file type validator to nestjs common #14881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Apr 11, 2025
Merged

fix(common): introduce magic file type validator to nestjs common #14881

merged 25 commits into from
Apr 11, 2025

Conversation

Chathula
Copy link
Contributor

@Chathula Chathula commented Mar 31, 2025
edited
Loading

  • introduce magic file type validator logic to nestjs common with validator class FileTypeValidator

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix

  • Feature

  • Code style update (formatting, local variables)

  • Refactoring (no functional changes, no api changes)

  • Build related changes

  • CI related changes

  • Other... Please describe:

  • security enhancement fix

What is the current behavior?

Issue Number: N/A

What is the new behavior?

  • now user can use addMagicFileTypeValidator pipe method instead of addFileTypeValidator pipe to more secure mime type validation

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@Chathula Chathula mentioned this pull request Mar 31, 2025
Closed
15 tasks
@coveralls
Copy link

coveralls commented Mar 31, 2025
edited
Loading

Pull Request Test Coverage Report for Build c6d89f19-7909-4729-a795-fc3ab4be8c81

Details

  • 11 of 11 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.01%) to 89.32%
Totals Coverage Status
Change from base Build 91c827b1-b77d-4e6b-8884-c81544ad6b65: 0.01%
Covered Lines: 7159
Relevant Lines: 8015
💛 - Coveralls

@kamilmysliwiec
Copy link
Member

Instead of introducing a new validator, we should probably just replace the logic of the existing one; otherwise we won't get rid of the vulnerability report

kamilmysliwiec
kamilmysliwiec reviewed Apr 1, 2025
View reviewed changes
kamilmysliwiec
kamilmysliwiec reviewed Apr 1, 2025
View reviewed changes
kamilmysliwiec
kamilmysliwiec reviewed Apr 1, 2025
View reviewed changes
@Chathula Chathula force-pushed the fix-nestjs-common-mime-validator branch from c8c56ac to 54f5b80 Compare April 1, 2025 13:06
@Chathula
Copy link
Contributor Author

Chathula commented Apr 1, 2025

@kamilmysliwiec I'm not sure why the test suddenly started failing. it passes on local env 😕

@kamilmysliwiec
Copy link
Member

Tests for sample 29 (file upload) are now failing:
image

@Chathula
Copy link
Contributor Author

Chathula commented Apr 2, 2025

Tests for sample 29 (file upload) are now failing: image

Yes, this needs to be fixed. The code throws this error in the e2e test.
image

Also, unit test fails. it doesn't work on node v22.11 with inline import. It throws errorERR_PACKAGE_PATH_NOT_EXPORTED. But works fine with node v22.14

@kamilmysliwiec
Copy link
Member

file-type is an ESM-only package so in order to remain compatible with older versions of Node we'd have to either:
a) use a different package
b) use an older version of this package
c) load it differently (see "load esm modules in cjs")

@Chathula Chathula requested a review from kamilmysliwiec April 4, 2025 11:54
@Chathula
Copy link
Contributor Author

Chathula commented Apr 4, 2025
edited
Loading

@kamilmysliwiec I used a new package and refactored the code to support the file validation without magic numbers as well due to lack of file type support with magic numbers file type validation. The default behaviour is validated with magic numbers to fix the security vulnerability.

@kamilmysliwiec
Copy link
Member

Thanks @Chathula. I'm not sure if adding a hard dependency on package that has 20k/week downloads is safe though

@Chathula
Copy link
Contributor Author

Chathula commented Apr 4, 2025
edited
Loading

Thanks @Chathula. I'm not sure if adding a hard dependency on package that has 20k/week downloads is safe though

Yes. I agree. What are our options? This file-type package is not possible to import to work with nestjs :/ I tried even using eval. The package owner doesn't want to support cjs.

@kamilmysliwiec
Copy link
Member

Is there any specific reason why eval-workaround doesn't work?

@Chathula Chathula force-pushed the fix-nestjs-common-mime-validator branch from 97f3823 to 3ff9024 Compare April 9, 2025 14:33
@Chathula
Copy link
Contributor Author

Chathula commented Apr 9, 2025

Is there any specific reason why eval-workaround doesn't work?

because we need to pass --experimental-vm-modules node option to work with it in project we use FileTypeValidator

@Chathula
Copy link
Contributor Author

Chathula commented Apr 9, 2025

@kamilmysliwiec I used the file type package with eval Import. Let's see whether this is good to go or not.

kamilmysliwiec
kamilmysliwiec reviewed Apr 10, 2025
View reviewed changes
@Chathula Chathula requested a review from kamilmysliwiec April 10, 2025 09:09
@Chathula
Copy link
Contributor Author

@kamilmysliwiec let me know if there is anything that I need to do to merge this one.

@Chathula
Copy link
Contributor Author

@kamilmysliwiec moved the changes back

kamilmysliwiec
kamilmysliwiec reviewed Apr 11, 2025
View reviewed changes
@kamilmysliwiec kamilmysliwiec merged commit ab79c56 into nestjs:master Apr 11, 2025
1 of 2 checks passed
@kamilmysliwiec
Copy link
Member

LGTM

@kamilmysliwiec
Copy link
Member

Would you like to create an identical PR that targets the v10.4.15 branch?

@Chathula
Copy link
Contributor Author

Would you like to create an identical PR that targets the v10.4.15 branch?

sure I can do it

Chathula
Chathula commented Apr 11, 2025
View reviewed changes
@Chathula
Copy link
Contributor Author

@kamilmysliwiec i created branch for v10.4.15 to target in my fork. but I can't see a branch for v10.4.15

here is my branch: https://github.com/Chathula/nest/tree/fix-nest-common-mime-validator

@kamilmysliwiec
Copy link
Member

Branch https://github.com/nestjs/nest/tree/10.4.15

@Chathula
Copy link
Contributor Author

Branch https://github.com/nestjs/nest/tree/10.4.15

PR filed: #14948

@fperalta-INTIVE fperalta-INTIVE mentioned this pull request Apr 11, 2025
Merged
@tizianozonta tizianozonta mentioned this pull request Apr 15, 2025
Closed
15 tasks
phlogisticfugu added a commit to phlogisticfugu/docs.nestjs.com that referenced this pull request Apr 16, 2025
@phlogisticfugu
Update file-upload.md for secured FileTypeValidator
cb449fa 
New version of the FileTypeValidator implemented in nestjs/nest#14881
no longer has a limitation that the file contents are removed.

This updates the documentation to match.
@phlogisticfugu phlogisticfugu mentioned this pull request Apr 16, 2025
Merged
10 tasks
@alumni alumni mentioned this pull request Apr 17, 2025
Closed
15 tasks
@renovate renovate bot mentioned this pull request May 20, 2025
Merged
1 task
@renovate renovate bot mentioned this pull request Jul 31, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kamilmysliwiec kamilmysliwiec kamilmysliwiec left review comments

Assignees
No one assigned
Labels
scope: common type: bug 😭
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Chathula @coveralls @kamilmysliwiec
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy