Merge branch 'Chathula-fix-nest-common-mime-validator' into 10.4.15

package.json

@@ -66,6 +66,7 @@
     "express": "4.21.2",
     "fast-json-stringify": "6.0.0",
     "fast-safe-stringify": "2.1.1",
+    "file-type": "20.4.1",
     "iterare": "1.2.1",
     "object-hash": "3.0.0",
     "path-to-regexp": "3.3.0",
@@ -74,7 +75,7 @@
     "socket.io": "4.8.1",
     "tslib": "2.8.1",
     "uid": "2.0.2",
-    "uuid": "11.0.3"
+    "uuid": "11.1.0"
   },
   "devDependencies": {
     "@apollo/server": "4.11.2",

packages/common/package.json

@@ -25,6 +25,7 @@
   "peerDependencies": {
     "class-transformer": "*",
     "class-validator": "*",
+    "file-type": "^20.4.1",
     "reflect-metadata": "^0.1.12 || ^0.2.0",
     "rxjs": "^7.1.0"
   },
@@ -34,6 +35,9 @@
     },
     "class-transformer": {
       "optional": true
+    },
+    "file-type": {
+      "optional": true
     }
   }
 }

packages/common/pipes/file/file-type.validator.ts

@@ -3,14 +3,19 @@ import { IFile } from './interfaces';
 
 export type FileTypeValidatorOptions = {
   fileType: string | RegExp;
+
+  /**
+   * If `true`, the validator will skip the magic numbers validation.
+   * This can be useful when you can't identify some files as there are no common magic numbers available for some file types.
+   * @default false
+   */
+  skipMagicNumbersValidation?: boolean;
 };
 
 /**
- * Defines the built-in FileType File Validator. It validates incoming files mime-type
- * matching a string or a regular expression. Note that this validator uses a naive strategy
- * to check the mime-type and could be fooled if the client provided a file with renamed extension.
- * (for instance, renaming a 'malicious.bat' to 'malicious.jpeg'). To handle such security issues
- * with more reliability, consider checking against the file's [magic-numbers](https://en.wikipedia.org/wiki/Magic_number_%28programming%29)
+ * Defines the built-in FileTypeValidator. It validates incoming files by examining
+ * their magic numbers using the file-type package, providing more reliable file type validation
+ * than just checking the mimetype string.
  *
  * @see [File Validators](https://docs.nestjs.com/techniques/file-upload#validators)
  *
@@ -20,19 +25,42 @@ export class FileTypeValidator extends FileValidator<
   FileTypeValidatorOptions,
   IFile
 > {
-  buildErrorMessage(): string {
+  buildErrorMessage(file?: IFile): string {
+    if (file?.mimetype) {
+      return `Validation failed (current file type is ${file.mimetype}, expected type is ${this.validationOptions.fileType})`;
+    }
     return `Validation failed (expected type is ${this.validationOptions.fileType})`;
   }
 
-  isValid(file?: IFile): boolean {
+  async isValid(file?: IFile): Promise<boolean> {
     if (!this.validationOptions) {
       return true;
     }
 
-    return (
-      !!file &&
-      'mimetype' in file &&
-      !!file.mimetype.match(this.validationOptions.fileType)
-    );
+    const isFileValid = !!file && 'mimetype' in file;
+
+    if (this.validationOptions.skipMagicNumbersValidation) {
+      return (
+        isFileValid && !!file.mimetype.match(this.validationOptions.fileType)
+      );
+    }
+
+    if (!isFileValid || !file.buffer) {
+      return false;
+    }
+
+    try {
+      const { fileTypeFromBuffer } = (await eval(
+        'import ("file-type")',
+      )) as typeof import('file-type');
+
+      const fileType = await fileTypeFromBuffer(file.buffer);
+
+      return (
+        !!fileType && !!fileType.mime.match(this.validationOptions.fileType)
+      );
+    } catch {
+      return false;
+    }
   }
 }

packages/common/pipes/file/interfaces/file.interface.ts

@@ -1,4 +1,5 @@
 export interface IFile {
   mimetype: string;
   size: number;
+  buffer?: Buffer;
 }

packages/common/test/pipes/file/file-type.validator.spec.ts

@@ -1,89 +1,195 @@
 import { expect } from 'chai';
+import { IFile } from '../../../../common/pipes/file/interfaces';
 import { FileTypeValidator } from '../../../pipes';
 
 describe('FileTypeValidator', () => {
   describe('isValid', () => {
-    it('should return true when the file mimetype is the same as the specified', () => {
+    it('should return true when the file buffer matches the specified type', async () => {
       const fileTypeValidator = new FileTypeValidator({
         fileType: 'image/jpeg',
       });
 
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
       const requestFile = {
         mimetype: 'image/jpeg',
-      } as any;
+        buffer: jpegBuffer,
+      } as IFile;
 
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(true);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
     });
 
-    it('should return true when the file mimetype ends with the specified option type', () => {
+    it('should return true when the file buffer matches the specified file extension', async () => {
       const fileTypeValidator = new FileTypeValidator({
         fileType: 'jpeg',
       });
 
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
       const requestFile = {
         mimetype: 'image/jpeg',
-      } as any;
-
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(true);
+        buffer: jpegBuffer,
+      } as IFile;
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
     });
 
-    it('should return true when the file mimetype matches the specified regexp', () => {
+    it('should return true when the file buffer matches the specified regexp', async () => {
       const fileTypeValidator = new FileTypeValidator({
-        fileType: /word/,
+        fileType: /^image\//,
       });
 
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
       const requestFile = {
-        mimetype: 'application/msword',
-      } as any;
+        mimetype: 'image/jpeg',
+        buffer: jpegBuffer,
+      } as IFile;
 
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(true);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
     });
 
-    it('should return false when the file mimetype is different from the specified', () => {
+    it('should return false when the file buffer does not match the specified type', async () => {
       const fileTypeValidator = new FileTypeValidator({
         fileType: 'image/jpeg',
       });
 
+      const pngBuffer = Buffer.from([
+        0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+      ]);
+      const requestFile = {
+        mimetype: 'image/jpeg', // Spoofed mimetype
+        buffer: pngBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
+    });
+
+    it('should return false when the file buffer does not match the specified file extension', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+
+      const pngBuffer = Buffer.from([
+        0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+      ]);
       const requestFile = {
         mimetype: 'image/png',
-      } as any;
+        buffer: pngBuffer,
+      } as IFile;
 
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(false);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
     });
 
-    it('should return false when the file mimetype does not match the provided regexp', () => {
+    it('should return false when no buffer is provided', async () => {
       const fileTypeValidator = new FileTypeValidator({
-        fileType: /mp4/,
+        fileType: 'image/jpeg',
       });
 
       const requestFile = {
-        mimetype: 'image/png',
-      } as any;
+        mimetype: 'image/jpeg',
+      } as IFile;
 
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(false);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
     });
 
-    it('should return false when the file mimetype was not provided', () => {
+    it('should return false when no file is provided', async () => {
       const fileTypeValidator = new FileTypeValidator({
         fileType: 'image/jpeg',
       });
 
-      const requestFile = {} as any;
-
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(false);
+      expect(await fileTypeValidator.isValid()).to.equal(false);
     });
 
-    it('should return false when no file provided', () => {
+    it('should return false when no buffer is provided', async () => {
       const fileTypeValidator = new FileTypeValidator({
         fileType: 'image/jpeg',
       });
 
-      expect(fileTypeValidator.isValid()).to.equal(false);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
+    });
+
+    it('should return true when the file buffer matches the specified regexp', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+        buffer: jpegBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
+    });
+
+    it('should return true when no validation options are provided', async () => {
+      const fileTypeValidator = new FileTypeValidator({} as any);
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+        buffer: jpegBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
+    });
+
+    it('should skip magic numbers validation when the skipMagicNumbersValidation is true', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'image/jpeg',
+        skipMagicNumbersValidation: true,
+      });
+
+      const requestFile = {
+        mimetype: 'image/jpeg',
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
+    });
+
+    it('should return false when the file buffer does not match any known type', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'unknown/type',
+      });
+
+      const unknownBuffer = Buffer.from([
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+      ]);
+      const requestFile = {
+        mimetype: 'unknown/type',
+        buffer: unknownBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
+    });
+
+    it('should return false when the buffer is empty', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'image/jpeg',
+      });
+
+      const emptyBuffer = Buffer.from([]);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+        buffer: emptyBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
     });
   });
 
   describe('buildErrorMessage', () => {
-    it('should return a string with the format "Validation failed (expected type is #fileType)"', () => {
+    it('should return a string with the format "Validation failed (expected type is #fileType)"', async () => {
       const fileType = 'image/jpeg';
       const fileTypeValidator = new FileTypeValidator({
         fileType,
@@ -93,5 +199,85 @@ describe('FileTypeValidator', () => {
         `Validation failed (expected type is ${fileType})`,
       );
     });
+
+    it('should include the file type in the error message when a file is provided', async () => {
+      const currentFileType = 'image/png';
+      const fileType = 'image/jpeg';
+      const fileTypeValidator = new FileTypeValidator({
+        fileType,
+      });
+
+      const file = { mimetype: currentFileType } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is ${currentFileType}, expected type is ${fileType})`,
+      );
+    });
+
+    it('should handle regexp file type in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+      const file = { mimetype: 'application/pdf' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is application/pdf, expected type is /^image\\//)`,
+      );
+    });
+
+    it('should handle file extension in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+      const file = { mimetype: 'image/png' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        'Validation failed (current file type is image/png, expected type is jpeg)',
+      );
+    });
+
+    it('should handle regexp file type in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+      const file = { mimetype: 'application/pdf' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is application/pdf, expected type is /^image\\//)`,
+      );
+    });
+
+    it('should handle file extension in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+      const file = { mimetype: 'image/png' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        'Validation failed (current file type is image/png, expected type is jpeg)',
+      );
+    });
+
+    it('should handle regexp file type in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+      const file = { mimetype: 'application/pdf' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is application/pdf, expected type is /^image\\//)`,
+      );
+    });
+
+    it('should handle file extension in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+      const file = { mimetype: 'image/png' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        'Validation failed (current file type is image/png, expected type is jpeg)',
+      );
+    });
   });
 });

packages/common/test/pipes/file/parse-file-pipe.builder.spec.ts

@@ -1,9 +1,9 @@
 import { expect } from 'chai';
 import {
-  FileTypeValidator,
   FileValidator,
   MaxFileSizeValidator,
   ParseFilePipeBuilder,
+  FileTypeValidator,
 } from '../../../pipes';
 
 describe('ParseFilePipeBuilder', () => {

sample/29-file-upload/e2e/app/app.e2e-spec.ts

@@ -32,14 +32,14 @@ describe('E2E FileTest', () => {
   it('should allow for file uploads that pass validation', async () => {
     return request(app.getHttpServer())
       .post('/file/pass-validation')
-      .attach('file', './package.json')
+      .attach('file', './resources/nestjs.jpg')
       .field('name', 'test')
       .expect(201)
       .expect({
         body: {
           name: 'test',
         },
-        file: readFileSync('./package.json').toString(),
+        file: readFileSync('./resources/nestjs.jpg').toString(),
       });
   });
 

sample/29-file-upload/package.json

@@ -16,7 +16,7 @@
     "test:watch": "jest --watch",
     "test:cov": "jest --coverage",
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./e2e/jest-e2e.json"
+    "test:e2e": "NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" jest --config ./e2e/jest-e2e.json"
   },
   "dependencies": {
     "@nestjs/common": "10.4.13",

sample/29-file-upload/src/app.controller.ts

@@ -40,7 +40,7 @@ export class AppController {
     @UploadedFile(
       new ParseFilePipeBuilder()
         .addFileTypeValidator({
-          fileType: 'json',
+          fileType: 'jpeg',
         })
         .build({
           fileIsRequired: false,