Problem statement
The current upload validation in backend/utils/fileUpload.js relies primarily on file extensions and MIME type checks:
const allowedTypes = /jpeg|jpg|png|pdf|csv|xlsx|xls/;
and:
file.originalname.match(/\.(xlsx|xls|csv)$/i) || allowedTypes.test(file.mimetype)
Because of this, a malicious or unsupported file can potentially bypass validation simply by:
- renaming the file extension
- spoofing the MIME type
- uploading non-document content disguised as allowed formats
For example:
- a
.exe renamed to .pdf
- arbitrary binary files with modified MIME headers
- malformed PDFs/images passing extension validation
This may lead to:
- unsafe file storage
- parser/runtime failures
- unexpected backend behavior during processing
Proposed solution
Implement stronger server-side file validation using actual file signature/content inspection instead of relying only on extensions and MIME types.
Possible improvements:
- validate magic bytes/file signatures
- use libraries like
file-type
- verify PDFs/images before saving
- reject malformed or unsupported files before processing
Expected behavior:
- only genuine supported document/image formats should be accepted
- spoofed or malformed uploads should fail validation gracefully
Alternatives considered
Current extension + MIME validation is lightweight and simple, but it is not fully reliable because both values can be manipulated client-side.
A stricter content-based validation approach would provide stronger security and stability.
Why this matters
This improves:
- upload security
- backend reliability
- safer file handling
- protection against malformed uploads
It also makes the upload pipeline more production-ready and reduces unexpected failures caused by invalid file content.
Problem statement
The current upload validation in
backend/utils/fileUpload.jsrelies primarily on file extensions and MIME type checks:and:
Because of this, a malicious or unsupported file can potentially bypass validation simply by:
For example:
.exerenamed to.pdfThis may lead to:
Proposed solution
Implement stronger server-side file validation using actual file signature/content inspection instead of relying only on extensions and MIME types.
Possible improvements:
file-typeExpected behavior:
Alternatives considered
Current extension + MIME validation is lightweight and simple, but it is not fully reliable because both values can be manipulated client-side.
A stricter content-based validation approach would provide stronger security and stability.
Why this matters
This improves:
It also makes the upload pipeline more production-ready and reduces unexpected failures caused by invalid file content.