Merge pull request #34 from kucc1997/fix-upload-mime-validation

abhiyandhakal · web-flow · commit fdb398f4e6af · 2026-02-08T08:27:36.000+05:45
fix: validate uploaded file MIME signatures
diff --git a/src/app/api/papers/post.ts b/src/app/api/papers/post.ts
@@ -5,68 +5,101 @@ import { customAlphabet } from "nanoid";
 import path from "path";
 import { writeFile, mkdir } from "fs/promises";
 import { getUploadDir, getUploadPublicBasePath } from "@/lib/upload-path";
+import { detectMimeType } from "@/lib/file-upload-validation";
 
 const UPLOAD_DIR = getUploadDir();
 const UPLOAD_PUBLIC_BASE = getUploadPublicBasePath();
 
 export default async function POST(req: Request) {
-  const formData = await req.formData();
-  const data = parseFormData(formData)
-
-  const paperID = await generateSubmissionId();
+  try {
+    const formData = await req.formData();
+    const data = parseFormData(formData);
+    const fileBuffer = Buffer.from(await data.file.arrayBuffer());
+    const detectedMimeType = detectMimeType(fileBuffer);
+
+    if (detectedMimeType !== "application/pdf") {
+      return Response.json(
+        {
+          success: false,
+          data: "Invalid file type. Please upload a valid PDF file.",
+        },
+        {
+          status: 400,
+        }
+      );
+    }
 
-  // Upload file
-  const uploadDir = path.join(process.cwd(), UPLOAD_DIR, "papers");
-  const filePath = path.join(uploadDir, `${paperID}.pdf`);
+    const paperID = await generateSubmissionId();
+
+    // Upload file
+    const uploadDir = path.join(process.cwd(), UPLOAD_DIR, "papers");
+    const filePath = path.join(uploadDir, `${paperID}.pdf`);
+
+    // Ensure the upload directory exists
+    await mkdir(uploadDir, { recursive: true });
+    await writeFile(filePath, fileBuffer);
+
+    const authorFromDb = await db.select({ id: users.id }).from(users).where(
+      eq(users.email, data.coAuthors?.[0]?.email)
+    );
+    if (authorFromDb.length === 0) {
+      return Response.json(
+        {
+          success: false,
+          data: "First author not registered! Please make sure the email matches with your GitHub's primary email.",
+        },
+        {
+          status: 400,
+        }
+      );
+    }
 
-  // Ensure the upload directory exists
-  await mkdir(uploadDir, { recursive: true });
-  await writeFile(filePath, Buffer.from(await data.file.arrayBuffer()));
+    const paperReturned = await db
+      .insert(papers)
+      .values({
+        title: data.title,
+        abstract: data.abstract,
+        keywords: data.keywords,
+        fileUrl: `${UPLOAD_PUBLIC_BASE}/papers/${paperID}.pdf`,
+        themeId: data.theme,
+        trackType: data.trackType,
+        authorId: authorFromDb[0].id,
+        submissionId: paperID,
+      })
+      .returning({ id: papers.id, submissionId: papers.submissionId });
+
+    await Promise.all(
+      data.coAuthors.map(async (coauthor, index) => {
+        if (index >= 1) {
+          await db.insert(coAuthors).values({
+            name: coauthor.name,
+            email: coauthor.email,
+            paperId: paperReturned[0].id,
+            orcid: coauthor?.orcid,
+            affiliation: coauthor?.affiliation,
+          });
+        }
+      })
+    );
 
-  const authorFromDb = await db.select({ id: users.id }).from(users).where(
-    eq(users.email, data.coAuthors?.[0]?.email)
-  );
-  if (authorFromDb.length === 0) {
     return Response.json({
-      success: false,
-      data: "First author not registered! Please make sure the email matches with your GitHub's primary email."
-    }, {
-      status: 400
-    })
-  }
-
-  const paperReturned = await db
-    .insert(papers)
-    .values({
-      title: data.title,
-      abstract: data.abstract,
-      keywords: data.keywords,
-      fileUrl: `${UPLOAD_PUBLIC_BASE}/papers/${paperID}.pdf`,
-      themeId: data.theme,
-      trackType: data.trackType,
-      authorId: authorFromDb[0].id,
-      submissionId: paperID
-    }).returning({ id: papers.id, submissionId: papers.submissionId })
-
-  await Promise.all(
-    data.coAuthors.map(async (coauthor, index) => {
-      if (index >= 1) {                     // Neglecting the first co-author 
-        await db.insert(coAuthors).values({
-          name: coauthor.name,
-          email: coauthor.email,
-          paperId: paperReturned[0].id,
-          orcid: coauthor?.orcid,
-          affiliation: coauthor?.affiliation
-        })
+      success: true,
+      data: {
+        submissionId: paperReturned[0].submissionId,
+      },
+    });
+  } catch (error) {
+    console.error("Paper submission error:", error);
+    return Response.json(
+      {
+        success: false,
+        data: "Failed to process paper submission.",
+      },
+      {
+        status: 500,
       }
-    })
-  )
-
-  return Response.json({
-    success: true, data: {
-      submissionId: paperReturned[0].submissionId
-    }
-  })
+    );
+  }
 }
 
 async function generateSubmissionId() {
diff --git a/src/app/api/registration/route.ts b/src/app/api/registration/route.ts
@@ -6,6 +6,7 @@ import path from "path"
 import { writeFile, mkdir } from "fs/promises"
 import { sendRegistrationEmail } from "@/lib/mail"
 import { getUploadDir, getUploadPublicBasePath } from "@/lib/upload-path"
+import { detectMimeType, getExtensionForMimeType } from "@/lib/file-upload-validation"
 
 const UPLOAD_DIR = getUploadDir()
 const UPLOAD_PUBLIC_BASE = getUploadPublicBasePath()
@@ -61,13 +62,16 @@ export async function POST(req: Request) {
 		// Upload payment voucher
 		const uploadDir = path.join(process.cwd(), UPLOAD_DIR, "vouchers")
 
-		// Get file extension from the uploaded file
-		const fileExtension = paymentVoucher.name.split('.').pop()?.toLowerCase()
-		if (!fileExtension || !['pdf', 'png', 'jpg', 'jpeg'].includes(fileExtension)) {
+		const voucherBuffer = Buffer.from(await paymentVoucher.arrayBuffer())
+		const detectedMimeType = detectMimeType(voucherBuffer)
+		const fileExtension = detectedMimeType ? getExtensionForMimeType(detectedMimeType) : null
+		const allowedMimeTypes = new Set(["application/pdf", "image/png", "image/jpeg"])
+
+		if (!detectedMimeType || !allowedMimeTypes.has(detectedMimeType) || !fileExtension) {
 			return NextResponse.json(
 				{
 					success: false,
-					data: "Invalid file type. Please upload PDF, PNG, or JPG files only."
+					data: "Invalid file type. Please upload a valid PDF, PNG, or JPG file."
 				},
 				{ status: 400 }
 			)
@@ -77,7 +81,7 @@ export async function POST(req: Request) {
 
 		// Ensure the upload directory exists
 		await mkdir(uploadDir, { recursive: true })
-		await writeFile(filePath, Buffer.from(await paymentVoucher.arrayBuffer()))
+		await writeFile(filePath, voucherBuffer)
 
 		// Insert registration into database
 		const registration = await db.insert(registrations).values({
diff --git a/src/app/api/upload/route.ts b/src/app/api/upload/route.ts
@@ -3,6 +3,11 @@ import { NextRequest, NextResponse } from "next/server";
 import path from "path";
 import { auth } from "@/auth";
 import { getUploadDir, getUploadPublicBasePath } from "@/lib/upload-path";
+import {
+  detectMimeType,
+  getExtensionForMimeType,
+  sanitizeFileStem,
+} from "@/lib/file-upload-validation";
 
 const UPLOAD_DIR = getUploadDir();
 const UPLOAD_PUBLIC_BASE = getUploadPublicBasePath();
@@ -21,34 +26,37 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: "No file provided" }, { status: 400 });
     }
 
-    // Validate file type
-    const allowedTypes = [
+    // Validate file size (10MB max)
+    const maxSize = 10 * 1024 * 1024; // 10MB
+    if (file.size > maxSize) {
+      return NextResponse.json(
+        { error: "File size exceeds 10MB limit" },
+        { status: 400 }
+      );
+    }
+
+    const buffer = Buffer.from(await file.arrayBuffer());
+    const detectedMimeType = detectMimeType(buffer);
+    const fileExtension = detectedMimeType
+      ? getExtensionForMimeType(detectedMimeType)
+      : null;
+    const allowedMimeTypes = new Set([
       "application/pdf",
       "image/jpeg",
-      "image/jpg",
       "image/png",
       "image/webp",
       "image/gif",
-    ];
+    ]);
 
-    if (!allowedTypes.includes(file.type)) {
+    if (!detectedMimeType || !allowedMimeTypes.has(detectedMimeType) || !fileExtension) {
       return NextResponse.json(
-        { error: "Invalid file type. Only PDF and images are allowed." },
+        { error: "Invalid file type. Only PDF and supported image files are allowed." },
         { status: 400 }
       );
     }
 
-    // Validate file size (10MB max)
-    const maxSize = 10 * 1024 * 1024; // 10MB
-    if (file.size > maxSize) {
-      return NextResponse.json(
-        { error: "File size exceeds 10MB limit" },
-        { status: 400 }
-      );
-    }
-
-    const buffer = Buffer.from(await file.arrayBuffer());
-    const filename = `${Date.now()}-${file.name.replace(/\s+/g, "-")}`;
+    const stem = sanitizeFileStem(file.name);
+    const filename = `${Date.now()}-${stem}.${fileExtension}`;
     const uploadDir = path.join(process.cwd(), UPLOAD_DIR, "archive");
     const filepath = path.join(uploadDir, filename);
 
diff --git a/src/lib/file-upload-validation.ts b/src/lib/file-upload-validation.ts
@@ -0,0 +1,55 @@
+const MIME_EXTENSION_MAP: Record<string, string> = {
+  "application/pdf": "pdf",
+  "image/jpeg": "jpg",
+  "image/png": "png",
+  "image/gif": "gif",
+  "image/webp": "webp",
+};
+
+function hasPrefix(buffer: Buffer, bytes: number[]) {
+  return bytes.every((byte, index) => buffer[index] === byte);
+}
+
+export function detectMimeType(buffer: Buffer): string | null {
+  if (buffer.length >= 4 && hasPrefix(buffer, [0x25, 0x50, 0x44, 0x46])) {
+    return "application/pdf";
+  }
+
+  if (
+    buffer.length >= 8 &&
+    hasPrefix(buffer, [0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a])
+  ) {
+    return "image/png";
+  }
+
+  if (buffer.length >= 3 && hasPrefix(buffer, [0xff, 0xd8, 0xff])) {
+    return "image/jpeg";
+  }
+
+  if (buffer.length >= 4 && hasPrefix(buffer, [0x47, 0x49, 0x46, 0x38])) {
+    return "image/gif";
+  }
+
+  if (
+    buffer.length >= 12 &&
+    buffer.subarray(0, 4).toString("ascii") === "RIFF" &&
+    buffer.subarray(8, 12).toString("ascii") === "WEBP"
+  ) {
+    return "image/webp";
+  }
+
+  return null;
+}
+
+export function getExtensionForMimeType(mimeType: string) {
+  return MIME_EXTENSION_MAP[mimeType] || null;
+}
+
+export function sanitizeFileStem(fileName: string) {
+  return fileName
+    .replace(/[\\/]/g, "-")
+    .replace(/\.[^.]+$/, "")
+    .replace(/[^a-zA-Z0-9._-]/g, "-")
+    .replace(/-+/g, "-")
+    .replace(/^-|-$/g, "") || "file";
+}
