Merge branch 'Chathula-fix-nest-common-mime-validator' into 10.4.15

2026-02-21 23:11:44 +00:00 · 2025-04-14 10:35:17 +02:00
parent d0fb875e23 2b9e132f6a
commit bce9a49214
11 changed files with 27486 additions and 16723 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -66,6 +66,7 @@
    "express": "4.21.2",
    "fast-json-stringify": "6.0.0",
    "fast-safe-stringify": "2.1.1",
+    "file-type": "20.4.1",
    "iterare": "1.2.1",
    "object-hash": "3.0.0",
    "path-to-regexp": "3.3.0",
@@ -74,7 +75,7 @@
    "socket.io": "4.8.1",
    "tslib": "2.8.1",
    "uid": "2.0.2",
-    "uuid": "11.0.3"
+    "uuid": "11.1.0"
  },
  "devDependencies": {
    "@apollo/server": "4.11.2",
--- a/packages/common/package.json
+++ b/packages/common/package.json
@@ -25,6 +25,7 @@
  "peerDependencies": {
    "class-transformer": "*",
    "class-validator": "*",
+    "file-type": "^20.4.1",
    "reflect-metadata": "^0.1.12 || ^0.2.0",
    "rxjs": "^7.1.0"
  },
@@ -34,6 +35,9 @@
    },
    "class-transformer": {
      "optional": true
+    },
+    "file-type": {
+      "optional": true
    }
  }
 }
--- a/packages/common/pipes/file/file-type.validator.ts
+++ b/packages/common/pipes/file/file-type.validator.ts
@@ -3,14 +3,19 @@ import { IFile } from './interfaces';

 export type FileTypeValidatorOptions = {
  fileType: string | RegExp;
+
+  /**
+   * If `true`, the validator will skip the magic numbers validation.
+   * This can be useful when you can't identify some files as there are no common magic numbers available for some file types.
+   * @default false
+   */
+  skipMagicNumbersValidation?: boolean;
 };

 /**
- * Defines the built-in FileType File Validator. It validates incoming files mime-type
- * matching a string or a regular expression. Note that this validator uses a naive strategy
- * to check the mime-type and could be fooled if the client provided a file with renamed extension.
- * (for instance, renaming a 'malicious.bat' to 'malicious.jpeg'). To handle such security issues
- * with more reliability, consider checking against the file's [magic-numbers](https://en.wikipedia.org/wiki/Magic_number_%28programming%29)
+ * Defines the built-in FileTypeValidator. It validates incoming files by examining
+ * their magic numbers using the file-type package, providing more reliable file type validation
+ * than just checking the mimetype string.
 *
 * @see [File Validators](https://docs.nestjs.com/techniques/file-upload#validators)
 *
@@ -20,19 +25,42 @@ export class FileTypeValidator extends FileValidator<
  FileTypeValidatorOptions,
  IFile
 > {
-  buildErrorMessage(): string {
+  buildErrorMessage(file?: IFile): string {
+    if (file?.mimetype) {
+      return `Validation failed (current file type is ${file.mimetype}, expected type is ${this.validationOptions.fileType})`;
+    }
    return `Validation failed (expected type is ${this.validationOptions.fileType})`;
  }

-  isValid(file?: IFile): boolean {
+  async isValid(file?: IFile): Promise<boolean> {
    if (!this.validationOptions) {
      return true;
    }

+    const isFileValid = !!file && 'mimetype' in file;
+
+    if (this.validationOptions.skipMagicNumbersValidation) {
      return (
-      !!file &&
-      'mimetype' in file &&
-      !!file.mimetype.match(this.validationOptions.fileType)
+        isFileValid && !!file.mimetype.match(this.validationOptions.fileType)
      );
    }
+
+    if (!isFileValid || !file.buffer) {
+      return false;
+    }
+
+    try {
+      const { fileTypeFromBuffer } = (await eval(
+        'import ("file-type")',
+      )) as typeof import('file-type');
+
+      const fileType = await fileTypeFromBuffer(file.buffer);
+
+      return (
+        !!fileType && !!fileType.mime.match(this.validationOptions.fileType)
+      );
+    } catch {
+      return false;
+    }
+  }
 }
--- a/packages/common/pipes/file/interfaces/file.interface.ts
+++ b/packages/common/pipes/file/interfaces/file.interface.ts
@@ -1,4 +1,5 @@
 export interface IFile {
  mimetype: string;
  size: number;
+  buffer?: Buffer;
 }
--- a/packages/common/test/pipes/file/file-type.validator.spec.ts
+++ b/packages/common/test/pipes/file/file-type.validator.spec.ts
@@ -1,89 +1,195 @@
 import { expect } from 'chai';
+import { IFile } from '../../../../common/pipes/file/interfaces';
 import { FileTypeValidator } from '../../../pipes';

 describe('FileTypeValidator', () => {
  describe('isValid', () => {
-    it('should return true when the file mimetype is the same as the specified', () => {
+    it('should return true when the file buffer matches the specified type', async () => {
      const fileTypeValidator = new FileTypeValidator({
        fileType: 'image/jpeg',
      });

+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
      const requestFile = {
        mimetype: 'image/jpeg',
-      } as any;
+        buffer: jpegBuffer,
+      } as IFile;

-      expect(fileTypeValidator.isValid(requestFile)).to.equal(true);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
    });

-    it('should return true when the file mimetype ends with the specified option type', () => {
+    it('should return true when the file buffer matches the specified file extension', async () => {
      const fileTypeValidator = new FileTypeValidator({
        fileType: 'jpeg',
      });

+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
      const requestFile = {
        mimetype: 'image/jpeg',
-      } as any;
-
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(true);
+        buffer: jpegBuffer,
+      } as IFile;
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
    });

-    it('should return true when the file mimetype matches the specified regexp', () => {
+    it('should return true when the file buffer matches the specified regexp', async () => {
      const fileTypeValidator = new FileTypeValidator({
-        fileType: /word/,
+        fileType: /^image\//,
      });

+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
      const requestFile = {
-        mimetype: 'application/msword',
-      } as any;
+        mimetype: 'image/jpeg',
+        buffer: jpegBuffer,
+      } as IFile;

-      expect(fileTypeValidator.isValid(requestFile)).to.equal(true);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
    });

-    it('should return false when the file mimetype is different from the specified', () => {
+    it('should return false when the file buffer does not match the specified type', async () => {
      const fileTypeValidator = new FileTypeValidator({
        fileType: 'image/jpeg',
      });

+      const pngBuffer = Buffer.from([
+        0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+      ]);
+      const requestFile = {
+        mimetype: 'image/jpeg', // Spoofed mimetype
+        buffer: pngBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
+    });
+
+    it('should return false when the file buffer does not match the specified file extension', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+
+      const pngBuffer = Buffer.from([
+        0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a,
+      ]);
      const requestFile = {
        mimetype: 'image/png',
-      } as any;
+        buffer: pngBuffer,
+      } as IFile;

-      expect(fileTypeValidator.isValid(requestFile)).to.equal(false);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
    });

-    it('should return false when the file mimetype does not match the provided regexp', () => {
+    it('should return false when no buffer is provided', async () => {
      const fileTypeValidator = new FileTypeValidator({
-        fileType: /mp4/,
+        fileType: 'image/jpeg',
      });

      const requestFile = {
-        mimetype: 'image/png',
-      } as any;
+        mimetype: 'image/jpeg',
+      } as IFile;

-      expect(fileTypeValidator.isValid(requestFile)).to.equal(false);
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
    });

-    it('should return false when the file mimetype was not provided', () => {
+    it('should return false when no file is provided', async () => {
      const fileTypeValidator = new FileTypeValidator({
        fileType: 'image/jpeg',
      });

-      const requestFile = {} as any;
-
-      expect(fileTypeValidator.isValid(requestFile)).to.equal(false);
+      expect(await fileTypeValidator.isValid()).to.equal(false);
    });

-    it('should return false when no file provided', () => {
+    it('should return false when no buffer is provided', async () => {
      const fileTypeValidator = new FileTypeValidator({
        fileType: 'image/jpeg',
      });

-      expect(fileTypeValidator.isValid()).to.equal(false);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
+    });
+
+    it('should return true when the file buffer matches the specified regexp', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+        buffer: jpegBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
+    });
+
+    it('should return true when no validation options are provided', async () => {
+      const fileTypeValidator = new FileTypeValidator({} as any);
+      const jpegBuffer = Buffer.from([
+        0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46,
+      ]);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+        buffer: jpegBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
+    });
+
+    it('should skip magic numbers validation when the skipMagicNumbersValidation is true', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'image/jpeg',
+        skipMagicNumbersValidation: true,
+      });
+
+      const requestFile = {
+        mimetype: 'image/jpeg',
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(true);
+    });
+
+    it('should return false when the file buffer does not match any known type', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'unknown/type',
+      });
+
+      const unknownBuffer = Buffer.from([
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+      ]);
+      const requestFile = {
+        mimetype: 'unknown/type',
+        buffer: unknownBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
+    });
+
+    it('should return false when the buffer is empty', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'image/jpeg',
+      });
+
+      const emptyBuffer = Buffer.from([]);
+      const requestFile = {
+        mimetype: 'image/jpeg',
+        buffer: emptyBuffer,
+      } as IFile;
+
+      expect(await fileTypeValidator.isValid(requestFile)).to.equal(false);
    });
  });

  describe('buildErrorMessage', () => {
-    it('should return a string with the format "Validation failed (expected type is #fileType)"', () => {
+    it('should return a string with the format "Validation failed (expected type is #fileType)"', async () => {
      const fileType = 'image/jpeg';
      const fileTypeValidator = new FileTypeValidator({
        fileType,
@@ -93,5 +199,85 @@ describe('FileTypeValidator', () => {
        `Validation failed (expected type is ${fileType})`,
      );
    });
+
+    it('should include the file type in the error message when a file is provided', async () => {
+      const currentFileType = 'image/png';
+      const fileType = 'image/jpeg';
+      const fileTypeValidator = new FileTypeValidator({
+        fileType,
+      });
+
+      const file = { mimetype: currentFileType } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is ${currentFileType}, expected type is ${fileType})`,
+      );
+    });
+
+    it('should handle regexp file type in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+      const file = { mimetype: 'application/pdf' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is application/pdf, expected type is /^image\\//)`,
+      );
+    });
+
+    it('should handle file extension in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+      const file = { mimetype: 'image/png' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        'Validation failed (current file type is image/png, expected type is jpeg)',
+      );
+    });
+
+    it('should handle regexp file type in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+      const file = { mimetype: 'application/pdf' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is application/pdf, expected type is /^image\\//)`,
+      );
+    });
+
+    it('should handle file extension in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+      const file = { mimetype: 'image/png' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        'Validation failed (current file type is image/png, expected type is jpeg)',
+      );
+    });
+
+    it('should handle regexp file type in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: /^image\//,
+      });
+      const file = { mimetype: 'application/pdf' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        `Validation failed (current file type is application/pdf, expected type is /^image\\//)`,
+      );
+    });
+
+    it('should handle file extension in error message', async () => {
+      const fileTypeValidator = new FileTypeValidator({
+        fileType: 'jpeg',
+      });
+      const file = { mimetype: 'image/png' } as IFile;
+
+      expect(fileTypeValidator.buildErrorMessage(file)).to.equal(
+        'Validation failed (current file type is image/png, expected type is jpeg)',
+      );
+    });
  });
 });
--- a/packages/common/test/pipes/file/parse-file-pipe.builder.spec.ts
+++ b/packages/common/test/pipes/file/parse-file-pipe.builder.spec.ts
@@ -1,9 +1,9 @@
 import { expect } from 'chai';
 import {
-  FileTypeValidator,
  FileValidator,
  MaxFileSizeValidator,
  ParseFilePipeBuilder,
+  FileTypeValidator,
 } from '../../../pipes';

 describe('ParseFilePipeBuilder', () => {
--- a/sample/29-file-upload/e2e/app/app.e2e-spec.ts
+++ b/sample/29-file-upload/e2e/app/app.e2e-spec.ts
@@ -32,14 +32,14 @@ describe('E2E FileTest', () => {
  it('should allow for file uploads that pass validation', async () => {
    return request(app.getHttpServer())
      .post('/file/pass-validation')
-      .attach('file', './package.json')
+      .attach('file', './resources/nestjs.jpg')
      .field('name', 'test')
      .expect(201)
      .expect({
        body: {
          name: 'test',
        },
-        file: readFileSync('./package.json').toString(),
+        file: readFileSync('./resources/nestjs.jpg').toString(),
      });
  });

--- a/sample/29-file-upload/package.json
+++ b/sample/29-file-upload/package.json
@@ -16,7 +16,7 @@
    "test:watch": "jest --watch",
    "test:cov": "jest --coverage",
    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./e2e/jest-e2e.json"
+    "test:e2e": "NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" jest --config ./e2e/jest-e2e.json"
  },
  "dependencies": {
    "@nestjs/common": "10.4.13",
--- a/sample/29-file-upload/resources/nestjs.jpg
+++ b/sample/29-file-upload/resources/nestjs.jpg
--- a/sample/29-file-upload/src/app.controller.ts
+++ b/sample/29-file-upload/src/app.controller.ts
@@ -40,7 +40,7 @@ export class AppController {
    @UploadedFile(
      new ParseFilePipeBuilder()
        .addFileTypeValidator({
-          fileType: 'json',
+          fileType: 'jpeg',
        })
        .build({
          fileIsRequired: false,