Skip to content

feat: allow skipping magic numbers validation for image uploads in company info controller#1586

Merged
Artuomka merged 1 commit intomainfrom
backend_rate_limits
Feb 10, 2026
Merged

feat: allow skipping magic numbers validation for image uploads in company info controller#1586
Artuomka merged 1 commit intomainfrom
backend_rate_limits

Conversation

@Artuomka
Copy link
Collaborator

@Artuomka Artuomka commented Feb 10, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 10, 2026 11:00
@Artuomka Artuomka merged commit 8d8db58 into main Feb 10, 2026
18 checks passed
@Artuomka Artuomka deleted the backend_rate_limits branch February 10, 2026 11:00
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts file upload validation in the company info controller to allow bypassing “magic numbers” (file signature) checks when validating uploaded image types, likely to accommodate image formats that fail signature detection.

Changes:

  • Set skipMagicNumbersValidation: true on the file type validator for company logo uploads.
  • Set skipMagicNumbersValidation: true on the file type validator for company favicon uploads.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

backend/src/entities/company-info/company-info.controller.ts
@UploadedFile(
new ParseFilePipeBuilder()
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ })
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true })
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting skipMagicNumbersValidation: true on the image upload FileTypeValidator weakens server-side file validation and makes the check rely primarily on the client-provided mimetype (which can be spoofed). Since the upload use case persists file.buffer as-is and later returns it to clients alongside mimeType, this can allow non-image payloads to be stored and served as image/*. Consider keeping magic-number validation enabled for binary image types (png/jpeg) and handling problematic types (e.g. svg) with a dedicated validator/sanitization step instead of disabling signature validation globally.

Suggested change
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true })
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ })

Copilot uses AI. Check for mistakes.
backend/src/entities/company-info/company-info.controller.ts
@UploadedFile(
new ParseFilePipeBuilder()
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/ })
.addFileTypeValidator({ fileType: /image\/(png|jpeg|jpg|svg\+xml)/, skipMagicNumbersValidation: true })
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same concern here: disabling magic-number/signature validation for favicon uploads makes it possible to upload arbitrary bytes while claiming an image/* mimetype. If this was added to work around SVG/favicon detection issues, it would be safer to keep signature validation for png/jpeg and apply a separate allowlist + sanitization/validation path for formats that can’t be reliably magic-checked.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Artuomka