From 3d265a12d8a49d8b8539f4355192ec1bc2ffd612 Mon Sep 17 00:00:00 2001
From: deacon <marksoccerman1@aol.com>
Date: Sun, 15 Mar 2026 13:21:21 -0400
Subject: [PATCH 1/3] fix: add magic-byte and extension validation to
 payload_api POST

Block dangerous file types (PHP, JSP, ASPX) and restrict extensions.
---
 app/api/v2/handlers/payload_api.py        | 32 +++++++++++++++++
 tests/security/test_payload_validation.py | 43 +++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 tests/security/test_payload_validation.py

diff --git a/app/api/v2/handlers/payload_api.py b/app/api/v2/handlers/payload_api.py
index 1b034a332..28f62c5da 100644
--- a/app/api/v2/handlers/payload_api.py
+++ b/app/api/v2/handlers/payload_api.py
@@ -13,6 +13,31 @@
     PayloadDeleteRequestSchema
 
 
+ALLOWED_EXTENSIONS = [
+    '.ps1', '.sh', '.py', '.exe', '.elf', '.bat', '.vbs', '.js', '.go', '.c',
+    '.zip', '.tar', '.gz', '.dll', '.bin', '.yaml', '.yml', '.txt', '.json',
+]
+
+DANGEROUS_MAGIC_BYTES = [
+    b'<?php', b'<%@', b'<%!', b'<%@ Page',
+]
+
+
+def _validate_payload_file(filename, file_content_start):
+    """Validate payload filename extension and magic bytes.
+    Returns (is_valid, error_message).
+    """
+    if '\x00' in filename:
+        return False, 'Null byte detected in filename'
+    ext = os.path.splitext(filename)[1].lower()
+    if ext and ext not in ALLOWED_EXTENSIONS:
+        return False, f'File extension not allowed: {ext}'
+    for magic in DANGEROUS_MAGIC_BYTES:
+        if file_content_start.startswith(magic):
+            return False, f'Dangerous file signature detected'
+    return True, ''
+
+
 class PayloadApi(BaseApi):
     def __init__(self, services):
         super().__init__(auth_svc=services['auth_svc'])
@@ -70,6 +95,13 @@ async def post_payloads(self, request: web.Request):
         # accessing the file using the prefilled request["form"] dictionary.
         file_field: web.FileField = request["form"]["file"]
 
+        # Validate filename and magic bytes
+        first_bytes = file_field.file.read(16)
+        file_field.file.seek(0)
+        is_valid, error_msg = _validate_payload_file(file_field.filename, first_bytes)
+        if not is_valid:
+            raise web.HTTPBadRequest(text=error_msg)
+
         # Sanitize the file name to prevent directory traversal
         sanitized_filename = self.sanitize_filename(file_field.filename)
 
diff --git a/tests/security/test_payload_validation.py b/tests/security/test_payload_validation.py
new file mode 100644
index 000000000..e97c9da54
--- /dev/null
+++ b/tests/security/test_payload_validation.py
@@ -0,0 +1,43 @@
+import unittest
+import os
+import sys
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', '..'))
+
+
+class TestPayloadValidation(unittest.TestCase):
+    def test_valid_extension(self):
+        from app.api.v2.handlers.payload_api import _validate_payload_file
+        ok, _ = _validate_payload_file('test.ps1', b'\x00\x00\x00\x00')
+        self.assertTrue(ok)
+
+    def test_invalid_extension(self):
+        from app.api.v2.handlers.payload_api import _validate_payload_file
+        ok, msg = _validate_payload_file('test.php', b'normal content')
+        self.assertFalse(ok)
+        self.assertIn('extension', msg.lower())
+
+    def test_dangerous_magic_bytes_php(self):
+        from app.api.v2.handlers.payload_api import _validate_payload_file
+        ok, msg = _validate_payload_file('test.txt', b'<?php echo "hi";')
+        self.assertFalse(ok)
+        self.assertIn('Dangerous', msg)
+
+    def test_dangerous_magic_bytes_jsp(self):
+        from app.api.v2.handlers.payload_api import _validate_payload_file
+        ok, msg = _validate_payload_file('test.txt', b'<%@ page import')
+        self.assertFalse(ok)
+
+    def test_null_byte_in_filename(self):
+        from app.api.v2.handlers.payload_api import _validate_payload_file
+        ok, msg = _validate_payload_file('test\x00.txt', b'safe')
+        self.assertFalse(ok)
+        self.assertIn('Null byte', msg)
+
+    def test_no_extension_is_allowed(self):
+        from app.api.v2.handlers.payload_api import _validate_payload_file
+        ok, _ = _validate_payload_file('myagent', b'\x7fELF')
+        self.assertTrue(ok)
+
+
+if __name__ == '__main__':
+    unittest.main()

From 8e4bfed9fc8fa5c3592e3c5e3489c9b8dd12a396 Mon Sep 17 00:00:00 2001
From: deacon <marksoccerman1@aol.com>
Date: Mon, 16 Mar 2026 00:55:24 -0400
Subject: [PATCH 2/3] fix: address Copilot review feedback on
 payload-magic-byte-validation

- Convert ALLOWED_EXTENSIONS list to frozenset for O(1) lookup and immutability
- Remove redundant b'<%@ Page' magic bytes entry (b'<%@' already covers it)
- Sanitize filename before validation so extension/null-byte checks use the
  same name that will be used for storage, closing potential bypass gap
- Remove sys.path.insert() from test file; import module directly
- Remove __main__ runner block from test module
- Add test confirming b'<%@ Page' is still rejected through b'<%@' prefix match
---
 app/api/v2/handlers/payload_api.py        | 19 +++++++++++--------
 tests/security/test_payload_validation.py | 18 ++++++------------
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/app/api/v2/handlers/payload_api.py b/app/api/v2/handlers/payload_api.py
index 28f62c5da..c579b9ebf 100644
--- a/app/api/v2/handlers/payload_api.py
+++ b/app/api/v2/handlers/payload_api.py
@@ -13,13 +13,14 @@
     PayloadDeleteRequestSchema
 
 
-ALLOWED_EXTENSIONS = [
+ALLOWED_EXTENSIONS = frozenset([
     '.ps1', '.sh', '.py', '.exe', '.elf', '.bat', '.vbs', '.js', '.go', '.c',
     '.zip', '.tar', '.gz', '.dll', '.bin', '.yaml', '.yml', '.txt', '.json',
-]
+])
 
+# b'<%@ Page' is redundant because b'<%@' already matches it via startswith().
 DANGEROUS_MAGIC_BYTES = [
-    b'<?php', b'<%@', b'<%!', b'<%@ Page',
+    b'<?php', b'<%@', b'<%!',
 ]
 
 
@@ -95,16 +96,18 @@ async def post_payloads(self, request: web.Request):
         # accessing the file using the prefilled request["form"] dictionary.
         file_field: web.FileField = request["form"]["file"]
 
-        # Validate filename and magic bytes
+        # Sanitize the filename first so validation uses the same name that
+        # will be used for storage, preventing discrepancies if sanitization
+        # changes the extension or structure.
+        sanitized_filename = self.sanitize_filename(file_field.filename)
+
+        # Validate sanitized filename and magic bytes.
         first_bytes = file_field.file.read(16)
         file_field.file.seek(0)
-        is_valid, error_msg = _validate_payload_file(file_field.filename, first_bytes)
+        is_valid, error_msg = _validate_payload_file(sanitized_filename, first_bytes)
         if not is_valid:
             raise web.HTTPBadRequest(text=error_msg)
 
-        # Sanitize the file name to prevent directory traversal
-        sanitized_filename = self.sanitize_filename(file_field.filename)
-
         # Generate the file name and path
         file_name, file_path = await self.__generate_file_name_and_path(sanitized_filename)
 
diff --git a/tests/security/test_payload_validation.py b/tests/security/test_payload_validation.py
index e97c9da54..033f0e864 100644
--- a/tests/security/test_payload_validation.py
+++ b/tests/security/test_payload_validation.py
@@ -1,43 +1,37 @@
 import unittest
-import os
-import sys
-sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', '..'))
+
+from app.api.v2.handlers.payload_api import _validate_payload_file
 
 
 class TestPayloadValidation(unittest.TestCase):
     def test_valid_extension(self):
-        from app.api.v2.handlers.payload_api import _validate_payload_file
         ok, _ = _validate_payload_file('test.ps1', b'\x00\x00\x00\x00')
         self.assertTrue(ok)
 
     def test_invalid_extension(self):
-        from app.api.v2.handlers.payload_api import _validate_payload_file
         ok, msg = _validate_payload_file('test.php', b'normal content')
         self.assertFalse(ok)
         self.assertIn('extension', msg.lower())
 
     def test_dangerous_magic_bytes_php(self):
-        from app.api.v2.handlers.payload_api import _validate_payload_file
         ok, msg = _validate_payload_file('test.txt', b'<?php echo "hi";')
         self.assertFalse(ok)
         self.assertIn('Dangerous', msg)
 
     def test_dangerous_magic_bytes_jsp(self):
-        from app.api.v2.handlers.payload_api import _validate_payload_file
         ok, msg = _validate_payload_file('test.txt', b'<%@ page import')
         self.assertFalse(ok)
 
     def test_null_byte_in_filename(self):
-        from app.api.v2.handlers.payload_api import _validate_payload_file
         ok, msg = _validate_payload_file('test\x00.txt', b'safe')
         self.assertFalse(ok)
         self.assertIn('Null byte', msg)
 
     def test_no_extension_is_allowed(self):
-        from app.api.v2.handlers.payload_api import _validate_payload_file
         ok, _ = _validate_payload_file('myagent', b'\x7fELF')
         self.assertTrue(ok)
 
-
-if __name__ == '__main__':
-    unittest.main()
+    def test_redundant_asp_page_signature_still_blocked(self):
+        """b'<%@ Page' must still be rejected because b'<%@' prefix matches it."""
+        ok, _ = _validate_payload_file('test.txt', b'<%@ Page Language')
+        self.assertFalse(ok)

From c9868fd09897a72886265750bed0d20b9d392605 Mon Sep 17 00:00:00 2001
From: deacon <marksoccerman1@aol.com>
Date: Mon, 16 Mar 2026 09:58:20 -0400
Subject: [PATCH 3/3] Use case-insensitive assertion for magic byte error
 message

The assertion was case-sensitive and coupled to exact capitalization
of the error message. Use msg.lower() to make the test stable
against formatting changes.
---
 tests/security/test_payload_validation.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/security/test_payload_validation.py b/tests/security/test_payload_validation.py
index 033f0e864..9b856ee13 100644
--- a/tests/security/test_payload_validation.py
+++ b/tests/security/test_payload_validation.py
@@ -16,7 +16,7 @@ def test_invalid_extension(self):
     def test_dangerous_magic_bytes_php(self):
         ok, msg = _validate_payload_file('test.txt', b'<?php echo "hi";')
         self.assertFalse(ok)
-        self.assertIn('Dangerous', msg)
+        self.assertIn('dangerous', msg.lower())
 
     def test_dangerous_magic_bytes_jsp(self):
         ok, msg = _validate_payload_file('test.txt', b'<%@ page import')