@flusys/nestjs-storage 0.1.0-beta.3 → 1.0.0-rc

package/fesm/services/upload.service.js

@@ -25,25 +25,41 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { BadRequestException, Inject, Injectable, InternalServerErrorException, Logger, NotFoundException, Scope } from '@nestjs/common';
+import { ErrorHandler, validateCompanyOwnership } from '@flusys/nestjs-shared/utils';
+import { BadRequestException, Inject, Injectable, Logger, NotFoundException, Scope } from '@nestjs/common';
 import { StorageConfigService } from '../config';
 import { FileLocationEnum } from '../enums/file-location.enum';
 import { StorageFactoryService } from '../providers/storage-factory.service';
 import { StorageProviderConfigService } from './storage-provider-config.service';
+import { FileValidator } from '../utils/file-validator.util';
 export class UploadService {
     /**
-   * Validate file before upload
+   * Validate file before upload - includes size, type, and content validation.
+   * Uses magic bytes to verify file content matches declared MIME type.
    */ validateFile(file) {
         // Validate file size
         const sizeValidation = this.storageConfigService.validateFileSize(file.size);
         if (!sizeValidation.valid) {
             throw new BadRequestException(sizeValidation.message);
         }
-        // Validate file type
+        // Validate declared file type (MIME)
         const typeValidation = this.storageConfigService.validateFileType(file.mimetype);
         if (!typeValidation.valid) {
             throw new BadRequestException(typeValidation.message);
         }
+        // Validate file content matches declared type (magic bytes check)
+        // This prevents MIME type spoofing attacks
+        const allowedTypes = this.storageConfigService.getAllowedFileTypes();
+        const contentValidation = FileValidator.validateFileContent(file.buffer, file.mimetype, allowedTypes);
+        if (!contentValidation.valid) {
+            this.logger.warn(`File content validation failed: ${contentValidation.message}`, {
+                declaredType: file.mimetype,
+                detectedType: contentValidation.detectedType
+            });
+            throw new BadRequestException(contentValidation.message || 'File content validation failed');
+        }
+        // Sanitize filename to prevent path traversal attacks
+        file.originalname = FileValidator.sanitizeFilename(file.originalname);
     }
     /**
    * Get storage provider and config info based on storage config ID
@@ -57,13 +73,8 @@ export class UploadService {
             if (!config) {
                 throw new NotFoundException('Storage configuration not found');
             }
-            // Validate company ownership if company feature enabled
-            if (this.storageConfigService.isCompanyFeatureEnabled() && user?.companyId) {
-                const configWithCompany = config;
-                if (configWithCompany.companyId && configWithCompany.companyId !== user.companyId) {
-                    throw new BadRequestException('Storage configuration belongs to another company');
-                }
-            }
+            // Validate company ownership using shared utility
+            validateCompanyOwnership(config, user, this.storageConfigService.isCompanyFeatureEnabled(), 'Storage configuration');
             storageConfig = config;
         } else {
             // Use default config (scoped to user's company/branch)
@@ -168,9 +179,9 @@ export class UploadService {
                 location,
                 storageConfigId: configId
             };
-        } catch (err) {
-            this.logger.error('Single file upload failed', err);
-            throw new InternalServerErrorException(err?.message || 'Single file upload failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'uploadSingleFile');
+            ErrorHandler.rethrowError(error);
         }
     }
     async uploadMultipleFiles(files, options, user) {
@@ -187,31 +198,31 @@ export class UploadService {
                     location,
                     storageConfigId: configId
                 }));
-        } catch (err) {
-            this.logger.error('Multiple files upload failed', err);
-            throw new InternalServerErrorException(err?.message || 'Multiple files upload failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'uploadMultipleFiles');
+            ErrorHandler.rethrowError(error);
         }
     }
     async deleteSingleFile(key, storageConfigId, user, locationHint) {
         try {
-            if (!key) throw new Error('No file path provided');
+            if (!key) throw new BadRequestException('No file path provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteFile(key);
             return true;
-        } catch (err) {
-            this.logger.error('Delete single file failed', err);
-            throw new InternalServerErrorException(err?.message || 'Delete single file failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'deleteSingleFile');
+            ErrorHandler.rethrowError(error);
         }
     }
     async deleteMultipleFile(keys, storageConfigId, user, locationHint) {
         try {
-            if (!keys || !keys.length) throw new Error('No file paths provided');
+            if (!keys || !keys.length) throw new BadRequestException('No file paths provided');
             const provider = await this.getStorageProviderForDelete(storageConfigId, user, locationHint);
             await provider.deleteMultipleFiles(keys);
             return true;
-        } catch (err) {
-            this.logger.error('Delete multiple files failed', err);
-            throw new InternalServerErrorException(err?.message || 'Delete multiple files failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'deleteMultipleFiles');
+            ErrorHandler.rethrowError(error);
         }
     }
     bytesToKb(bytes) {
@@ -241,7 +252,8 @@ export class UploadService {
             }
             return null;
         } catch (error) {
-            this.logger.warn(`Failed to get local storage basePath: ${error.message}`);
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger.warn(`Failed to get local storage basePath: ${errorMessage}`);
             return null;
         }
     }
@@ -258,9 +270,9 @@ export class UploadService {
             }
             // For SFTP or other providers without presigned URLs
             return key;
-        } catch (err) {
-            this.logger.error('Generate file URL failed', err);
-            throw new InternalServerErrorException(err?.message || 'Generate file URL failed');
+        } catch (error) {
+            ErrorHandler.logError(this.logger, error, 'makeFileUrl');
+            ErrorHandler.rethrowError(error);
         }
     }
     // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild

package/fesm/utils/file-validator.util.js

@@ -0,0 +1,463 @@
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+import { Logger } from '@nestjs/common';
+/**
+ * Magic byte signatures for common file types.
+ * Each entry maps a hex signature pattern to its MIME type.
+ */ const MAGIC_BYTES = [
+    // Images
+    {
+        signature: [
+            0xff,
+            0xd8,
+            0xff
+        ],
+        offset: 0,
+        mimeType: 'image/jpeg'
+    },
+    {
+        signature: [
+            0x89,
+            0x50,
+            0x4e,
+            0x47,
+            0x0d,
+            0x0a,
+            0x1a,
+            0x0a
+        ],
+        offset: 0,
+        mimeType: 'image/png'
+    },
+    {
+        signature: [
+            0x47,
+            0x49,
+            0x46,
+            0x38,
+            0x37,
+            0x61
+        ],
+        offset: 0,
+        mimeType: 'image/gif'
+    },
+    {
+        signature: [
+            0x47,
+            0x49,
+            0x46,
+            0x38,
+            0x39,
+            0x61
+        ],
+        offset: 0,
+        mimeType: 'image/gif'
+    },
+    {
+        signature: [
+            0x42,
+            0x4d
+        ],
+        offset: 0,
+        mimeType: 'image/bmp'
+    },
+    {
+        signature: [
+            0x52,
+            0x49,
+            0x46,
+            0x46
+        ],
+        offset: 0,
+        mimeType: 'image/webp'
+    },
+    {
+        signature: [
+            0x00,
+            0x00,
+            0x01,
+            0x00
+        ],
+        offset: 0,
+        mimeType: 'image/x-icon'
+    },
+    {
+        signature: [
+            0x00,
+            0x00,
+            0x02,
+            0x00
+        ],
+        offset: 0,
+        mimeType: 'image/x-icon'
+    },
+    // Documents
+    {
+        signature: [
+            0x25,
+            0x50,
+            0x44,
+            0x46
+        ],
+        offset: 0,
+        mimeType: 'application/pdf'
+    },
+    {
+        signature: [
+            0x50,
+            0x4b,
+            0x03,
+            0x04
+        ],
+        offset: 0,
+        mimeType: 'application/zip'
+    },
+    // Audio
+    {
+        signature: [
+            0x49,
+            0x44,
+            0x33
+        ],
+        offset: 0,
+        mimeType: 'audio/mpeg'
+    },
+    {
+        signature: [
+            0xff,
+            0xfb
+        ],
+        offset: 0,
+        mimeType: 'audio/mpeg'
+    },
+    {
+        signature: [
+            0xff,
+            0xfa
+        ],
+        offset: 0,
+        mimeType: 'audio/mpeg'
+    },
+    {
+        signature: [
+            0x4f,
+            0x67,
+            0x67,
+            0x53
+        ],
+        offset: 0,
+        mimeType: 'audio/ogg'
+    },
+    {
+        signature: [
+            0x66,
+            0x4c,
+            0x61,
+            0x43
+        ],
+        offset: 0,
+        mimeType: 'audio/flac'
+    },
+    // Video
+    {
+        signature: [
+            0x00,
+            0x00,
+            0x00,
+            0x1c,
+            0x66,
+            0x74,
+            0x79,
+            0x70
+        ],
+        offset: 0,
+        mimeType: 'video/mp4'
+    },
+    {
+        signature: [
+            0x00,
+            0x00,
+            0x00,
+            0x20,
+            0x66,
+            0x74,
+            0x79,
+            0x70
+        ],
+        offset: 0,
+        mimeType: 'video/mp4'
+    },
+    {
+        signature: [
+            0x1a,
+            0x45,
+            0xdf,
+            0xa3
+        ],
+        offset: 0,
+        mimeType: 'video/webm'
+    },
+    {
+        signature: [
+            0x52,
+            0x49,
+            0x46,
+            0x46
+        ],
+        offset: 0,
+        mimeType: 'video/avi'
+    },
+    // Archives
+    {
+        signature: [
+            0x1f,
+            0x8b
+        ],
+        offset: 0,
+        mimeType: 'application/gzip'
+    },
+    {
+        signature: [
+            0x37,
+            0x7a,
+            0xbc,
+            0xaf,
+            0x27,
+            0x1c
+        ],
+        offset: 0,
+        mimeType: 'application/x-7z-compressed'
+    },
+    {
+        signature: [
+            0x52,
+            0x61,
+            0x72,
+            0x21,
+            0x1a,
+            0x07
+        ],
+        offset: 0,
+        mimeType: 'application/x-rar-compressed'
+    }
+];
+/**
+ * MIME type aliases - types that are equivalent.
+ */ const MIME_ALIASES = {
+    'image/jpeg': [
+        'image/jpg'
+    ],
+    'image/jpg': [
+        'image/jpeg'
+    ],
+    'video/mp4': [
+        'video/quicktime'
+    ],
+    'application/zip': [
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation'
+    ]
+};
+/**
+ * File types that are text-based and don't have magic bytes.
+ * SECURITY NOTE: Dangerous types (HTML, JS, SVG) are excluded as they can contain scripts.
+ * These types require explicit allowlisting and additional content scanning.
+ */ const TEXT_BASED_TYPES = [
+    'text/plain',
+    'text/csv',
+    'text/markdown',
+    'application/json',
+    'application/xml',
+    'application/typescript',
+    'text/css'
+];
+/**
+ * Dangerous text-based types that can execute scripts.
+ * These bypass magic-bytes validation but require explicit allowlisting.
+ */ const DANGEROUS_TEXT_TYPES = [
+    'text/html',
+    'application/javascript',
+    'text/javascript',
+    'image/svg+xml',
+    'application/xhtml+xml'
+];
+/**
+ * Utility class for validating file content using magic bytes.
+ * Prevents file type spoofing by checking actual file content.
+ */ export class FileValidator {
+    /**
+   * Detect file type from buffer using magic bytes.
+   * @param buffer - File buffer to analyze
+   * @returns Detected MIME type or null if unknown
+   */ static detectFileType(buffer) {
+        for (const { signature, offset, mimeType } of MAGIC_BYTES){
+            if (buffer.length < offset + signature.length) continue;
+            let matches = true;
+            for(let i = 0; i < signature.length; i++){
+                if (buffer[offset + i] !== signature[i]) {
+                    matches = false;
+                    break;
+                }
+            }
+            if (matches) {
+                return mimeType;
+            }
+        }
+        return null;
+    }
+    /**
+   * Check if a MIME type is text-based (doesn't have magic bytes).
+   */ static isTextBasedType(mimeType) {
+        return TEXT_BASED_TYPES.some((t)=>mimeType.startsWith(t) || mimeType === t);
+    }
+    /**
+   * Check if a MIME type is a dangerous text type that can execute scripts.
+   */ static isDangerousTextType(mimeType) {
+        return DANGEROUS_TEXT_TYPES.some((t)=>mimeType === t);
+    }
+    /**
+   * Check if two MIME types are compatible (exact match or aliases).
+   */ static mimeTypesMatch(detected, declared) {
+        // Exact match
+        if (detected === declared) return true;
+        // Check aliases
+        const aliases = MIME_ALIASES[detected];
+        if (aliases?.includes(declared)) return true;
+        // Check reverse aliases
+        const reverseAliases = MIME_ALIASES[declared];
+        if (reverseAliases?.includes(detected)) return true;
+        // Check if both are in same category (e.g., both images)
+        const detectedCategory = detected.split('/')[0];
+        const declaredCategory = declared.split('/')[0];
+        // For ZIP-based formats, allow any ZIP-detected file if declared is a ZIP variant
+        if (detected === 'application/zip') {
+            const zipVariants = [
+                'application/vnd.openxmlformats-officedocument',
+                'application/x-zip',
+                'application/x-compressed'
+            ];
+            if (zipVariants.some((v)=>declared.startsWith(v))) {
+                return true;
+            }
+        }
+        return detectedCategory === declaredCategory;
+    }
+    /**
+   * Check if a MIME type is in the allowed list.
+   */ static isTypeAllowed(mimeType, allowedTypes) {
+        // Wildcard allows all
+        if (allowedTypes.includes('*/*')) return true;
+        return allowedTypes.some((allowed)=>{
+            // Category wildcard (e.g., "image/*")
+            if (allowed.endsWith('/*')) {
+                const category = allowed.slice(0, -2);
+                return mimeType.startsWith(category);
+            }
+            return allowed === mimeType;
+        });
+    }
+    /**
+   * Validate file content matches declared MIME type using magic bytes.
+   * @param buffer - File buffer
+   * @param declaredMimeType - MIME type declared by client
+   * @param allowedTypes - List of allowed MIME types/patterns
+   * @returns Validation result
+   */ static validateFileContent(buffer, declaredMimeType, allowedTypes = [
+        '*/*'
+    ]) {
+        try {
+            // Detect actual file type from magic bytes
+            const detectedType = this.detectFileType(buffer);
+            // If no type detected, check if it's a text-based type
+            if (!detectedType) {
+                // Check for dangerous text types first (HTML, JS, SVG)
+                if (this.isDangerousTextType(declaredMimeType)) {
+                    // Only allow dangerous types if explicitly in allowedTypes (not via wildcard)
+                    const explicitlyAllowed = allowedTypes.some((t)=>t === declaredMimeType && t !== '*/*' && !t.endsWith('/*'));
+                    if (!explicitlyAllowed) {
+                        this.logger.warn(`Blocked dangerous file type: ${declaredMimeType} - requires explicit allowlisting`);
+                        return {
+                            valid: false,
+                            detectedType: declaredMimeType,
+                            declaredType: declaredMimeType,
+                            message: `File type "${declaredMimeType}" is potentially dangerous and not explicitly allowed`
+                        };
+                    }
+                    this.logger.warn(`Allowing explicitly permitted dangerous file type: ${declaredMimeType}`);
+                }
+                if (this.isTextBasedType(declaredMimeType)) {
+                    // Safe text-based files don't have magic bytes, trust the declared type
+                    const isAllowed = this.isTypeAllowed(declaredMimeType, allowedTypes);
+                    return {
+                        valid: isAllowed,
+                        detectedType: declaredMimeType,
+                        declaredType: declaredMimeType,
+                        message: isAllowed ? undefined : `File type "${declaredMimeType}" is not allowed`
+                    };
+                }
+                // For binary files without recognized signatures, be cautious
+                this.logger.warn(`Unable to detect file type for declared type: ${declaredMimeType}`);
+                return {
+                    valid: false,
+                    declaredType: declaredMimeType,
+                    message: 'Unable to verify file type. File may be corrupted or unsupported.'
+                };
+            }
+            // Check if detected type matches declared type
+            if (!this.mimeTypesMatch(detectedType, declaredMimeType)) {
+                this.logger.warn(`MIME type mismatch: declared=${declaredMimeType}, detected=${detectedType}`);
+                return {
+                    valid: false,
+                    detectedType,
+                    declaredType: declaredMimeType,
+                    message: `File content does not match declared type. Detected: ${detectedType}, Declared: ${declaredMimeType}`
+                };
+            }
+            // Check if detected type is allowed
+            if (!this.isTypeAllowed(detectedType, allowedTypes)) {
+                return {
+                    valid: false,
+                    detectedType,
+                    declaredType: declaredMimeType,
+                    message: `File type "${detectedType}" is not allowed`
+                };
+            }
+            return {
+                valid: true,
+                detectedType,
+                declaredType: declaredMimeType
+            };
+        } catch (error) {
+            this.logger.error('File validation error:', error);
+            return {
+                valid: false,
+                message: 'File validation failed'
+            };
+        }
+    }
+    /**
+   * Sanitize filename to prevent path traversal and special character issues.
+   * @param filename - Original filename
+   * @returns Sanitized filename
+   */ static sanitizeFilename(filename) {
+        return filename// Remove path components (prevent traversal)
+        .replace(/^.*[\\\/]/, '')// Remove null bytes
+        .replace(/\0/g, '')// Replace multiple dots with single
+        .replace(/\.{2,}/g, '.')// Remove special characters except allowed ones
+        .replace(/[^a-zA-Z0-9._-]/g, '_')// Limit length
+        .substring(0, 255);
+    }
+}
+_define_property(FileValidator, "logger", new Logger(FileValidator.name));

package/fesm/utils/image-compressor.util.js

@@ -107,9 +107,7 @@ const sharp = sharpModule.default || sharpModule;
                 buffer: data,
                 format: `image/${targetFormat}`
             };
-        } catch (error) {
-            // Fallback to original if processing fails
-            console.warn(`Image processing failed: ${error instanceof Error ? error.message : String(error)}`);
+        } catch  {
             return {
                 buffer,
                 format: mimetype

package/interfaces/file-manager.interface.d.ts

@@ -3,12 +3,15 @@ export interface IFileManager extends IIdentity {
     name?: string;
     key?: string;
     url?: string;
-    folder?: number;
-    size?: number;
-    expiresAt?: number;
+    folder?: {
+        id: string;
+        name?: string;
+    } | null;
+    size?: string;
+    expiresAt?: number | null;
     contentType?: string;
     location?: string;
-    storageConfigId?: string;
+    storageConfigId?: string | null;
     providerName?: string;
     isPrivate?: boolean;
     companyId?: string | null;

package/interfaces/index.d.ts

@@ -1,5 +1,4 @@
 export * from './file-manager.interface';
-export * from './file-upload-response.interface';
 export * from './folder.interface';
 export * from './storage-config.interface';
 export * from './storage-module-options.interface';

package/interfaces/storage-config.interface.d.ts

@@ -4,25 +4,7 @@ export interface IStorageConfig extends IIdentity {
     name: string;
     storage: FileLocationEnum;
     config: Record<string, any>;
+    isActive: boolean;
+    isDefault: boolean;
     companyId?: string | null;
 }
-export interface IAwsS3Config {
-    region: string;
-    bucket: string;
-    accessKeyId: string;
-    secretAccessKey: string;
-    endpoint?: string;
-}
-export interface IAzureBlobConfig {
-    accountName: string;
-    accountKey: string;
-    containerName: string;
-}
-export interface ISftpConfig {
-    host: string;
-    port: number;
-    username: string;
-    password?: string;
-    privateKey?: string;
-    basePath: string;
-}