Add MIME type and extension validation for file uploads #5596
Conversation
- Updated jest.config.js to include the 'src' directory in test roots. - Introduced a new validator for checking MIME type and file extension matches, addressing security vulnerabilities. - Implemented validation in multiple server controllers and utilities to prevent MIME type spoofing attacks. - Added comprehensive tests for the new validation logic in validator.test.ts.
Summary of ChangesHello @jocelynlin-wd, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security of file uploads by introducing a comprehensive validation mechanism. It directly addresses a reported vulnerability (GHSA-j8g8-j7fc-43v6) by preventing MIME type spoofing and path traversal attacks. The new validation ensures that uploaded files have appropriate extensions matching their declared MIME types and are free from malicious path components. This logic is integrated across several file handling services, and a cleanup process is added to remove invalid files from storage, bolstering the system's integrity against malicious uploads. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses a security vulnerability by introducing robust MIME type and file extension validation for file uploads. The new validator is well-implemented and comes with a comprehensive suite of tests, covering many edge cases. The validation has been consistently applied across all relevant parts of the application that handle file uploads. Additionally, the new logic to clean up files from storage when a loader fails is a great improvement for system hygiene. I have a few minor suggestions to improve code consistency and error message accuracy.
packages/server/src/controllers/openai-assistants-vector-store/index.ts
Outdated
Show resolved
Hide resolved
isUnsafeFilePath function checks for various security risks, including absolute paths, null bytes, and control characters, not just path traversal. A more general error message would be more appropriate to cover all cases. Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
| preset: 'ts-jest', | ||
| testEnvironment: 'node', | ||
| roots: ['<rootDir>/nodes'], | ||
| roots: ['<rootDir>/nodes', '<rootDir>/src'], |
There was a problem hiding this comment.
tests in components/src was never run, need to expose the directory as roots
| jest.mock('@opentelemetry/exporter-trace-otlp-proto', () => { | ||
| return { | ||
| ProtoOTLPTraceExporter: jest.fn().mockImplementation((args) => { | ||
| OTLPTraceExporter: jest.fn().mockImplementation((args) => { |
There was a problem hiding this comment.
the exported function from the library is OTLPTraceExporter not the renamed version import { OTLPTraceExporter as ProtoOTLPTraceExporter }.
| } | ||
| }) | ||
|
|
||
| import { OTLPTraceExporter as ProtoOTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-proto' |
There was a problem hiding this comment.
move import to the top of the file
…e changes in source
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request effectively addresses a security vulnerability by introducing MIME type and file extension validation for file uploads. The new validation logic in packages/components/src/validator.ts is robust and is accompanied by a comprehensive set of unit tests in validator.test.ts, covering numerous edge cases. The validation has been correctly integrated into all relevant file upload points across the application. Additionally, the new functionality to clean up failed uploads from storage is a great improvement for system stability and resource management. I have one suggestion to improve maintainability by reducing code duplication.
packages/server/src/controllers/openai-assistants-vector-store/index.ts
Outdated
Show resolved
Hide resolved
|
Staging Tested
|
| ['object filename', {}] | ||
| ])('should throw error for %s', (_description, filename) => { | ||
| expect(() => { | ||
| validateMimeTypeAndExtensionMatch(filename as any, 'text/plain') |
There was a problem hiding this comment.
nit: should it be as string instead of as any?
There was a problem hiding this comment.
ideally yes but we are doing tests and purposefully passing in non-string values (null, undefined, number) and can't cast it to string directly or else will have compile error in typescript. I can change it to first cast as unknown and then to string so that it's less confusing.
| ['non-string MIME type (number)', 123] | ||
| ])('should throw error for %s', (_description, mimetype) => { | ||
| expect(() => { | ||
| validateMimeTypeAndExtensionMatch('file.txt', mimetype as any) |
| } | ||
|
|
||
| // Get the expected extension from mapMimeTypeToExt (returns extension without dot) | ||
| const expectedExt = mapMimeTypeToExt(mimetype) |
There was a problem hiding this comment.
I'm still learning through the mapMimeTypeToExt function. Should it support image or media types? Ignore this comment if it's not related to this PR.
There was a problem hiding this comment.
We should support image/media types since this validation function is reused in other insert/upload features not just chatflow attachments. I have updated the function to address this. Thanks for pointing this out
Screen.Recording.2025-12-22.at.1.21.41.PM.mov
There was a problem hiding this comment.
Looks good to me! Thanks for your effort adding the new types,
There was a problem hiding this comment.
We need to support image type upload, one of our enterprise customers is doing OCR.
…s other review comments
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a new file validation mechanism to prevent MIME type spoofing, addressing CVE-2025-61687. Key changes include expanding the mapMimeTypeToExt utility in packages/components/src/utils.ts to support a wider range of YAML, SQL, RTF, image, audio, and video MIME types. A new validateMimeTypeAndExtensionMatch function, along with helper functions for filename validation and extension normalization, has been added to packages/components/src/validator.ts, accompanied by comprehensive unit tests. This validation is integrated into various file upload endpoints across the packages/server module, including OpenAI assistants, document store, chatflow execution, and attachment creation, via a new validateFileMimeTypeAndExtensionMatch wrapper in packages/server/src/utils/fileValidation.ts. The createAttachment utility also gains logic to clean up storage if file processing fails post-validation. Review comments suggest refactoring the extension normalization logic in validator.ts to use a map for better scalability and readability, and replacing console.info/console.error with the logger utility in createAttachment.ts for consistent and robust logging.
Address security vulnerability reported in https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6 (also in issues #5579)
Add MIME type and extension validation for file uploads:
Unit Tests
Manual tests