NestJS Unleashed
  • Introduction
    • Prerequisites
    • Necessary tools
    • Upgrading packages (ncu)
      • NestJS v9 -> v10
      • NestJS v10 -> v11
    • UPDATES
      • 1.1
      • 1.2
  • Core module - Backend Development with NestJS
    • Project creation
    • Basic configuration
    • User entity
    • Validation
      • Basic validation
      • More specific validation
      • Validation pipe options
      • Id validation
      • Options dedicated file
    • Database creation with Docker
    • TypeORM Integration
      • Database connection
      • Entity mapping
      • Migrations
      • Repository pattern
    • Pagination
    • DTO Limitations
    • Decorator composition
    • Configuration
      • Environment variables
      • Availability and validation
      • Using the variables
      • Configuration namespace and partial registration
      • Reducing boilerplate
      • Further improvements
        • Env vars in main file
        • Generating database url in codebase
    • Remaining domain
      • Entities
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Entity validation
          • Nested validation
          • Function overload
        • Order
        • Exposing get fields
        • Payment
    • Seeding
  • Closing
  • Improvements/Tips module
    • Improvements
      • Soft delete
        • Fix - Boolean casting
        • Soft delete
        • Recover
      • Password validation
        • Regex pattern
        • Custom validator
        • Multiple validations
    • Tips
      • CORS
      • Helmet
      • UUID
  • Extra module 1 - Authentication/Authorization
    • Password hashing
      • Basic solution
      • Abstract service
      • Event listener
    • Excluding password
    • Authentication
      • Local strategy
      • Request user decorator
      • Request user interface
      • Validation middleware
      • JWT strategy
      • Public routes
    • Authorization
      • Role
      • Insert admin migration
      • Assign role route
      • Storing role in request user
      • Requiring permissions
      • Forbid empty arrays
      • More authorization checks
    • Rate limiting
    • Fix - Recover route
  • Extra module 2 - Exception Filters
    • NotFound exception filter
      • Filter basic structure
      • Error structure
      • Extracting message data
      • Response setup
    • Database exception filter
      • Basic setup
      • Creating error data
      • Last steps
  • Extra module 3 - OpenAPI Specification
    • Base document
    • Swagger CLI plugin
    • Swagger mapped types
    • Detecting optional fields
    • File name suffixes
    • Comments introspection
    • Api decorators
    • Enabling authentication
    • Discovery service
    • Limitation - Innacurate response schema
  • Extra module 4 - File Management
    • Basic file route
    • File validation
      • Validating size and extensions
      • Factory function for file validators
      • Fix - Converting file types to media types
      • Accepting file array
      • Validating file signature
    • File logic
      • Storage service
      • More util methods
      • Product-related logic
        • Controller routes
        • Service logic
        • Fetching products with filenames
      • Serve static
    • More features
      • Files exception filter
      • Documenting files routes
      • Tip - Extract body from multipart formdata
  • Extra module 5 - Advanced Querying
    • Pagination
      • Find and count
      • Querying structure
      • Metadata field
      • Documenting paginated responses
    • Filtering and sorting
      • DTO Orchestration
      • Everything at once
      • Encapsulating text filter
      • Filter operators
  • Extra module 6 - Automated Testing
    • Jest configuration
    • Simple resource
    • Unit tests
      • Some theory & First test
      • Mocks
      • Remaining service tests
      • Controller tests
    • e2e tests
      • Better test readability
      • Simulated environment
      • Testing entire flows
  • Parallel module - Prisma
    • Integration with Prisma/Docker
    • User model
    • User logic
    • Error Handling
    • Remaining domain
      • Models
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Order
        • Payment
    • Seeding
    • Tip - Serialization
  • Further Improvements
    • More validations
    • Sending emails
    • Health checks
    • Cron jobs
Powered by GitBook
On this page
  1. Extra module 4 - File Management
  2. File validation

Validating file signature

Prevent file type tampering.

Before ending this section and going to the actual file logic, let's just make a final improvement to validation. Even though we are validating a file's extension, someone may create a malicious file and manually alter its extension, and our system would accept it. Obviously this is not interesting at all. We may mitigate this problem by also validating the file signature (also known as magic number or magic bytes), which corresponds to a file's first bytes, identifying its type. They remain unchanged even if the extension is manually altered, for example.

To begin, let's install the library magic-bytes, which allows to obtain a file's signature.

yarn add magic-bytes.js

What we'll do now is to create a new, custom FileValidator. This time, it will be created from scratch. So, begin by creating the file validators -> file-signature.validator. Here, we should create a class that extends the FileValidator. We then get this class signature:

export class FileSignatureValidator extends FileValidator {}

First, let's implement the method that generates the error message.

buildErrorMessage() {
  return 'Validation failed (file type does not match file signature)';
}

Then, import the magic-bytes library like the following (requires manual importing):

import magicBytes from 'magic-bytes.js';

Now, implement the isValid() method. Here, we perform these steps:

  • The fileSignatures are obtained from the file's buffer (More than one signature may be present, that's why an array is returned)

  • It is checked if any signature is obtained, as some file types don't have one, such as txt files

  • It is verified if the file's signature matches its extension

isValid(file: File) {
  const fileSignatures = magicBytes(file.buffer).map((file) => file.mime);
  if (!fileSignatures.length) return false;

  const isMatch = fileSignatures.includes(file.mimetype);
  if (!isMatch) return false;

  return true;
}

We have concluded our validator. Go back to the createFileValidators() function and include it in its return.

new FileSignatureValidator()

However, notice that it requires an options object, even if no options will be used. This is due to the FileValidator constructor. To avoid instantiating it like this, we may go back to the file-signature.validator file and define a constructor with no parameters that simply calls the constructor of the superclass while passing this empty options object.

constructor() {
  super({});
}

Excellent, now if the file's extension is accepted, its signature will also be checked, to determine if it matches the extension.

Commit - Validating file signature

PreviousAccepting file arrayNextFile logic

Last updated 2 months ago