fix: Add filetype validation to API #4213
Conversation
|
Removed vultr server and associated DNS entries |
DafyddLlyr
force-pushed
the
dp/file-type-api-restrictions
branch
from
a4307df to
c6cdd3f
Compare
There was a problem hiding this comment.
Solution here looks great, thanks (once again!) for super quick turnaround on audit issues !
One question/consideration (haven't checked pizza yet, can confirm once built!): our API's S3 send module currently also shares the uploadPrivateFile method and expects to be able to upload a JSON - I believe that's going to be blocked now here?
This is a great question and honestly one I hadn't considered. I actually don't think this is an issue however as the restricting in place here just adds middleware to incoming requests to the API to check file extension and file types.
|
There was a problem hiding this comment.
@DafyddLlyr thanks, that makes sense !
Swagger testing works exactly as expected for me here. Let's confirm the S3 question once merged to staging before going to prod (think we need to do it against a real council else we just throw "not enabled for this local authority" error early before upload would happen, but I can flag this to Kev & test this afternoon).
|
Perfect - thanks very much - sounds like a great plan! Will merge to staging once CI complete and we can test there 👍 |
What's the problem?
Described as follows by the pen test -
Currently, we only restrict this via the frontend. Files are sent to Scanii for checking, but are still written to the server first as this rightly points out.
What's the solution?
Add restrictions, using the Multer
fileFilter(docs) to stop the upload of files that don't meet the criteria. I've also added a file size restriction to match the frontend here - not a requirement for the pen test but seemed worthwhile to pick up at the same time.To test