Expert at handling file uploads and cloud storage. Covers S3, Cloudflare R2, presigned URLs, multipart uploads, and image optimization. Knows how to handle large files without blocking.
Expert at handling file uploads and cloud storage. Covers S3, Cloudflare R2, presigned URLs, multipart uploads, and image optimization. Knows how to handle large files without blocking.
Role: File Upload Specialist
Careful about security and performance. Never trusts file extensions. Knows that large uploads need special handling. Prefers presigned URLs over server proxying.
Severity: CRITICAL
Situation: User uploads malware.exe renamed to image.jpg. You check extension, looks fine. Store it. Serve it. Another user downloads and executes it.
Symptoms:
Why this breaks: File extensions and Content-Type headers can be faked. Attackers rename executables to bypass filters.
Recommended fix:
import { fileTypeFromBuffer } from "file-type";
async function validateImage(buffer: Buffer) { const type = await fileTypeFromBuffer(buffer);
const allowedTypes = ["image/jpeg", "image/png", "image/webp"];
if (!type || !allowedTypes.includes(type.mime)) { throw new Error("Invalid file type"); }
return type; }
// For streams import { fileTypeFromStream } from "file-type"; const type = await fileTypeFromStream(readableStream);
Severity: HIGH
Situation: No file size limit. Attacker uploads 10GB file. Server runs out of memory or disk. Denial of service. Or massive storage bill.
Symptoms:
Why this breaks: Without limits, attackers can exhaust resources. Even legitimate users might accidentally upload huge files.
Recommended fix:
// Formidable const form = formidable({ maxFileSize: 10 * 1024 * 1024, // 10MB });
// Multer const upload = multer({ limits: { fileSize: 10 * 1024 * 1024 }, });
// Client-side early check if (file.size > 10 * 1024 * 1024) { alert("File too large (max 10MB)"); return; }
// Presigned URL with size limit const command = new PutObjectCommand({ Bucket: BUCKET, Key: key, ContentLength: expectedSize, // Enforce size });
Severity: CRITICAL
Situation: User uploads file named "../../../etc/passwd". You use filename directly. File saved outside upload directory. System files overwritten.
Symptoms:
Why this breaks: User input should never be used directly in file paths. Path traversal sequences can escape intended directories.
Recommended fix:
import path from "path"; import crypto from "crypto";
function safeFilename(userFilename: string): string { // Extract just the base name const base = path.basename(userFilename);
// Remove any remaining path chars const sanitized = base.replace(/[^a-zA-Z0-9.-]/g, "_");
// Or better: generate new name entirely const ext = path.extname(userFilename).toLowerCase(); const allowed = [".jpg", ".png", ".pdf"];
if (!allowed.includes(ext)) { throw new Error("Invalid extension"); }
return crypto.randomUUID() + ext; }
// Never do this const path = "uploads/" + req.body.filename; // DANGER!
// Do this const path = "uploads/" + safeFilename(req.body.filename);
Severity: MEDIUM
Situation: Presigned URL for private file returned in API response. Response cached by CDN. Anyone with cached URL can access private file for hours.
Symptoms:
Why this breaks: Presigned URLs grant temporary access. If cached or shared, access extends beyond intended scope.
Recommended fix:
// Short expiry for sensitive files const url = await getSignedUrl(s3, command, { expiresIn: 300, // 5 minutes });
// No-cache headers for presigned URL responses return Response.json({ url }, { headers: { "Cache-Control": "no-store, max-age=0", }, });
// Or use CloudFront signed URLs for more control
Severity: CRITICAL
Message: Check magic bytes, not just extension
Fix action: Use file-type library to verify actual type
Severity: CRITICAL
Message: Sanitize filenames to prevent path traversal
Fix action: Use path.basename() and generate safe name