Skip to content

Fix/385 image upload content sniffing xss#440

Merged
KaranUnique merged 51 commits into
Canopus-Labs:developmentfrom
AadityaUniyal:fix/385-image-upload-content-sniffing-xss
Jul 14, 2026
Merged

Fix/385 image upload content sniffing xss#440
KaranUnique merged 51 commits into
Canopus-Labs:developmentfrom
AadityaUniyal:fix/385-image-upload-content-sniffing-xss

Conversation

@AadityaUniyal

Copy link
Copy Markdown

Fixes #385

Root Cause

As outlined in the issue, the image upload filter was trusting the client-supplied MIME type, and sanitizeFilename was preserving the original file extension. This allowed a stored XSS vector by uploading an HTML payload masquerading as an image, which was then served without protective headers from /uploads.

Changes Made

  • uploadMiddleware.js: Replaced mimetype trust with magic-byte verification using file-type. The middleware now uses memoryStorage, runs verifyRealImageType, and writes the file using persistVerifiedImage.
  • uploadMiddleware.js (sanitizeFilename): Now strips the user-supplied extension and forces the extension detected from the file's bytes.
  • server.js: Hardened static serving for /uploads by adding X-Content-Type-Options: nosniff and Content-Disposition: inline headers.

Testing Done

  1. Attempted to upload an HTML payload with Content-Type: image/jpeg — Rejected.
  2. Uploaded genuine .jpg/.png files — Success, and the stored extension matches the content.
  3. Verified existing files under /uploads/ are now served with the nosniff header but still render correctly.
  4. Confirmed normal profile picture upload flows still work.

AnandAyush005 and others added 30 commits July 6, 2026 15:11
…on-enhancements

feat: enhance hero section with premium animations and interactions
…own-rendering

fix: render markdown in AI Assistant chat messages
…er structure"

This reverts commit 33c92b1.

solving pr issue
…alidation

fix(ux): add client-side validation for empty job search submissions
KaranUnique and others added 20 commits July 9, 2026 16:44
…dme-for-latest-backend-folder-structure

Fix/update readme for latest backend folder structure
…heet-upload

fix: protect sheet upload endpoint
…ession-by-id

fix: enforce session ownership authorization check in getSessionById
…-unlocked-achievements

fix: validate unlockedAchievements request payload
…-marker

feat: add Need Revision marker using existing pin functionality
…tion-progress

feat: add resume completion progress indicator
…terview-section

Feature/enhance interview section
@AadityaUniyal

Copy link
Copy Markdown
Author

hi @KaranUnique ,Please review the changes.

@KaranUnique KaranUnique changed the base branch from main to development July 14, 2026 05:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet