npm - @strapi/upload - Versions diffs - 5.30.1 → 5.31.1 - Mend

@strapi/upload 5.30.1 → 5.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/dist/server/utils/mime-validation.js ADDED Viewed

@@ -0,0 +1,222 @@
+'use strict';
+var promises = require('node:fs/promises');
+var utils = require('@strapi/utils');
+async function readFileChunk(filePath, chunkSize = 4100) {
+    const buffer = await promises.readFile(filePath);
+    return buffer.length > chunkSize ? buffer.subarray(0, chunkSize) : buffer;
+}
+async function detectMimeType(file) {
+    let buffer;
+    const filePath = file.path || file.filepath || file.tempFilePath;
+    if (filePath) {
+        try {
+            buffer = await readFileChunk(filePath, 4100);
+        } catch (error) {
+            throw new Error(`Failed to read file: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    } else if (file.buffer) {
+        buffer = file.buffer.length > 4100 ? file.buffer.subarray(0, 4100) : file.buffer;
+    } else {
+        // No file data available
+        return undefined;
+    }
+    try {
+        /**
+     * Use dynamic import to support file-type which is ESM-only
+     * Static imports fail during CommonJS build since bundler can't transform ESM-only packages
+     * @see https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c
+     */ const { fileTypeFromBuffer } = await import('file-type');
+        const result = await fileTypeFromBuffer(new Uint8Array(buffer));
+        return result?.mime;
+    } catch (error) {
+        throw new Error(`Failed to detect MIME type: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function matchesMimePattern(mimeType, patterns) {
+    if (!patterns?.length) return false;
+    return patterns.some((pattern)=>{
+        const normalizedPattern = pattern.toLowerCase();
+        const normalizedMimeType = mimeType.toLowerCase();
+        if (normalizedPattern.includes('*')) {
+            const regexPattern = normalizedPattern.replace(/\*/g, '.*');
+            const regex = new RegExp(`^${regexPattern}$`);
+            const matches = regex.test(normalizedMimeType);
+            return matches;
+        }
+        const exactMatch = normalizedPattern === normalizedMimeType;
+        return exactMatch;
+    });
+}
+function isMimeTypeAllowed(mimeType, config) {
+    const { allowedTypes, deniedTypes } = config;
+    if (!mimeType) return false;
+    if (deniedTypes?.length && matchesMimePattern(mimeType, deniedTypes)) {
+        return false;
+    }
+    if (allowedTypes?.length) {
+        return matchesMimePattern(mimeType, allowedTypes);
+    }
+    return true;
+}
+function extractFileInfo(file) {
+    const fileName = file.originalFilename || file.name || file.filename || file.newFilename || 'unknown';
+    const declaredMimeType = file.mimetype || file.type || file.mimeType || file.mime || '';
+    return {
+        fileName,
+        declaredMimeType
+    };
+}
+async function validateFile(file, config, strapi) {
+    const { allowedTypes, deniedTypes } = config;
+    if (!allowedTypes && !deniedTypes) {
+        return {
+            isValid: true
+        };
+    }
+    const { fileName, declaredMimeType } = extractFileInfo(file);
+    let detectedMime;
+    let mimeDetectionFailed = false;
+    try {
+        detectedMime = await detectMimeType(file);
+    } catch (error) {
+        mimeDetectionFailed = true;
+        strapi.log.warn('Failed to detect MIME type from file', {
+            fileName,
+            error: error instanceof Error ? error.message : String(error)
+        });
+    }
+    const mimeToValidate = detectedMime || declaredMimeType;
+    if (!detectedMime && (declaredMimeType === 'application/octet-stream' || !declaredMimeType || mimeDetectionFailed)) {
+        if (allowedTypes?.length || deniedTypes?.length) {
+            return {
+                isValid: false,
+                error: {
+                    code: 'MIME_TYPE_NOT_ALLOWED',
+                    message: `Cannot verify file type for security reasons`,
+                    details: {
+                        fileName,
+                        reason: 'Unable to detect MIME type from file content',
+                        declaredType: declaredMimeType,
+                        mimeDetectionFailed
+                    }
+                }
+            };
+        }
+    }
+    if (mimeToValidate && (allowedTypes || deniedTypes) && !isMimeTypeAllowed(mimeToValidate, config)) {
+        return {
+            isValid: false,
+            error: {
+                code: 'MIME_TYPE_NOT_ALLOWED',
+                message: `File type '${mimeToValidate}' is not allowed`,
+                details: {
+                    fileName,
+                    detectedType: detectedMime,
+                    declaredType: declaredMimeType,
+                    finalType: mimeToValidate,
+                    allowedTypes,
+                    deniedTypes
+                }
+            }
+        };
+    }
+    return {
+        isValid: true
+    };
+}
+async function validateFiles(files, strapi) {
+    const filesArray = Array.isArray(files) ? files : [
+        files
+    ];
+    if (!filesArray.length) {
+        return [];
+    }
+    const config = strapi.config.get('plugin::upload.security', {});
+    if (config.allowedTypes && (!Array.isArray(config.allowedTypes) || !config.allowedTypes.every((item)=>typeof item === 'string'))) {
+        throw new utils.errors.ApplicationError('Invalid configuration: allowedTypes must be an array of strings.');
+    }
+    if (config.deniedTypes && (!Array.isArray(config.deniedTypes) || !config.deniedTypes.every((item)=>typeof item === 'string'))) {
+        throw new utils.errors.ApplicationError('Invalid configuration: deniedTypes must be an array of strings.');
+    }
+    if (!config.allowedTypes && !config.deniedTypes) {
+        strapi.log.warn('No upload security configuration found. Consider configuring plugin.upload.security for enhanced file validation.');
+        return filesArray.map(()=>({
+                isValid: true
+            }));
+    }
+    const validationPromises = filesArray.map(async (file, index)=>{
+        try {
+            return await validateFile(file, config, strapi);
+        } catch (error) {
+            strapi.log.error('Unexpected error during file validation', {
+                fileIndex: index,
+                fileName: file?.name || file?.originalname,
+                error: error instanceof Error ? error.message : String(error)
+            });
+            return {
+                isValid: false,
+                error: {
+                    code: 'VALIDATION_ERROR',
+                    message: `Validation failed for file at index ${index}`,
+                    details: {
+                        index,
+                        fileName: file?.name || file?.originalname,
+                        originalError: error instanceof Error ? error.message : String(error)
+                    }
+                }
+            };
+        }
+    });
+    return Promise.all(validationPromises);
+}
+async function enforceUploadSecurity(files, strapi) {
+    const validationResults = await validateFiles(files, strapi);
+    const filesArray = Array.isArray(files) ? files : [
+        files
+    ];
+    const validFiles = [];
+    const validFileNames = [];
+    const errors = [];
+    for (const [index, result] of validationResults.entries()){
+        if (result.isValid) {
+            const file = filesArray[index];
+            validFiles.push(file);
+            validFileNames.push(file.originalFilename || file.name);
+        } else if (result.error) {
+            errors.push({
+                file: filesArray[index],
+                originalIndex: index,
+                error: result.error
+            });
+        } else {
+            // Handle case where validation failed but no error details are provided
+            errors.push({
+                file: filesArray[index],
+                originalIndex: index,
+                error: {
+                    code: 'UNKNOWN_ERROR',
+                    message: 'File validation failed for unknown reason',
+                    details: {
+                        index,
+                        fileName: filesArray[index]?.name || filesArray[index]?.originalname
+                    }
+                }
+            });
+        }
+    }
+    return {
+        validFiles,
+        validFileNames,
+        errors
+    };
+}
+exports.detectMimeType = detectMimeType;
+exports.enforceUploadSecurity = enforceUploadSecurity;
+exports.extractFileInfo = extractFileInfo;
+exports.isMimeTypeAllowed = isMimeTypeAllowed;
+exports.validateFile = validateFile;
+exports.validateFiles = validateFiles;
+//# sourceMappingURL=mime-validation.js.map

package/dist/server/utils/mime-validation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"mime-validation.js","sources":["../../../server/src/utils/mime-validation.ts"],"sourcesContent":["import { readFile } from 'node:fs/promises';\nimport type { Core } from '@strapi/types';\nimport { errors } from '@strapi/utils';\n\nexport type SecurityConfig = {\n allowedTypes?: string[];\n deniedTypes?: string[];\n};\ntype UploadValidationError = {\n code: 'MIME_TYPE_NOT_ALLOWED' | 'VALIDATION_ERROR' | 'UNKNOWN_ERROR';\n message: string;\n details: Record<string, any>;\n};\n\ntype ValidationResult = {\n isValid: boolean;\n error?: UploadValidationError;\n};\n\ntype ErrorDetail = {\n file: any;\n originalIndex: number;\n error: UploadValidationError;\n};\n\nasync function readFileChunk(filePath: string, chunkSize: number = 4100): Promise<Buffer> {\n const buffer = await readFile(filePath);\n return buffer.length > chunkSize ? buffer.subarray(0, chunkSize) : buffer;\n}\n\nexport async function detectMimeType(file: any): Promise<string | undefined> {\n let buffer: Buffer;\n\n const filePath = file.path || file.filepath || file.tempFilePath;\n\n if (filePath) {\n try {\n buffer = await readFileChunk(filePath, 4100);\n } catch (error) {\n throw new Error(\n `Failed to read file: ${error instanceof Error ? error.message : String(error)}`\n );\n }\n } else if (file.buffer) {\n buffer = file.buffer.length > 4100 ? file.buffer.subarray(0, 4100) : file.buffer;\n } else {\n // No file data available\n return undefined;\n }\n\n try {\n /**\n * Use dynamic import to support file-type which is ESM-only\n * Static imports fail during CommonJS build since bundler can't transform ESM-only packages\n * @see https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c\n */\n const { fileTypeFromBuffer } = await import('file-type');\n\n const result = await fileTypeFromBuffer(new Uint8Array(buffer));\n return result?.mime;\n } catch (error) {\n throw new Error(\n `Failed to detect MIME type: ${error instanceof Error ? error.message : String(error)}`\n );\n }\n}\n\nfunction matchesMimePattern(mimeType: string, patterns: string[]): boolean {\n if (!patterns?.length) return false;\n\n return patterns.some((pattern) => {\n const normalizedPattern = pattern.toLowerCase();\n const normalizedMimeType = mimeType.toLowerCase();\n\n if (normalizedPattern.includes('*')) {\n const regexPattern = normalizedPattern.replace(/\\*/g, '.*');\n\n const regex = new RegExp(`^${regexPattern}$`);\n const matches = regex.test(normalizedMimeType);\n return matches;\n }\n\n const exactMatch = normalizedPattern === normalizedMimeType;\n return exactMatch;\n });\n}\n\nexport function isMimeTypeAllowed(mimeType: string, config: SecurityConfig): boolean {\n const { allowedTypes, deniedTypes } = config;\n\n if (!mimeType) return false;\n\n if (deniedTypes?.length && matchesMimePattern(mimeType, deniedTypes)) {\n return false;\n }\n\n if (allowedTypes?.length) {\n return matchesMimePattern(mimeType, allowedTypes);\n }\n\n return true;\n}\n\nexport function extractFileInfo(file: any) {\n const fileName =\n file.originalFilename || file.name || file.filename || file.newFilename || 'unknown';\n const declaredMimeType = file.mimetype || file.type || file.mimeType || file.mime || '';\n\n return { fileName, declaredMimeType };\n}\n\nexport async function validateFile(\n file: any,\n config: SecurityConfig,\n strapi: Core.Strapi\n): Promise<ValidationResult> {\n const { allowedTypes, deniedTypes } = config;\n\n if (!allowedTypes && !deniedTypes) {\n return { isValid: true };\n }\n\n const { fileName, declaredMimeType } = extractFileInfo(file);\n\n let detectedMime: string | undefined;\n let mimeDetectionFailed = false;\n\n try {\n detectedMime = await detectMimeType(file);\n } catch (error) {\n mimeDetectionFailed = true;\n strapi.log.warn('Failed to detect MIME type from file', {\n fileName,\n error: error instanceof Error ? error.message : String(error),\n });\n }\n\n const mimeToValidate = detectedMime || declaredMimeType;\n\n if (\n !detectedMime &&\n (declaredMimeType === 'application/octet-stream' || !declaredMimeType || mimeDetectionFailed)\n ) {\n if (allowedTypes?.length || deniedTypes?.length) {\n return {\n isValid: false,\n error: {\n code: 'MIME_TYPE_NOT_ALLOWED',\n message: `Cannot verify file type for security reasons`,\n details: {\n fileName,\n reason: 'Unable to detect MIME type from file content',\n declaredType: declaredMimeType,\n mimeDetectionFailed,\n },\n },\n };\n }\n }\n\n if (\n mimeToValidate &&\n (allowedTypes || deniedTypes) &&\n !isMimeTypeAllowed(mimeToValidate, config)\n ) {\n return {\n isValid: false,\n error: {\n code: 'MIME_TYPE_NOT_ALLOWED',\n message: `File type '${mimeToValidate}' is not allowed`,\n details: {\n fileName,\n detectedType: detectedMime,\n declaredType: declaredMimeType,\n finalType: mimeToValidate,\n allowedTypes,\n deniedTypes,\n },\n },\n };\n }\n\n return { isValid: true };\n}\n\nexport async function validateFiles(files: any, strapi: Core.Strapi): Promise<ValidationResult[]> {\n const filesArray = Array.isArray(files) ? files : [files];\n\n if (!filesArray.length) {\n return [];\n }\n\n const config: SecurityConfig = strapi.config.get('plugin::upload.security', {});\n if (\n config.allowedTypes &&\n (!Array.isArray(config.allowedTypes) ||\n !config.allowedTypes.every((item) => typeof item === 'string'))\n ) {\n throw new errors.ApplicationError(\n 'Invalid configuration: allowedTypes must be an array of strings.'\n );\n }\n\n if (\n config.deniedTypes &&\n (!Array.isArray(config.deniedTypes) ||\n !config.deniedTypes.every((item) => typeof item === 'string'))\n ) {\n throw new errors.ApplicationError(\n 'Invalid configuration: deniedTypes must be an array of strings.'\n );\n }\n\n if (!config.allowedTypes && !config.deniedTypes) {\n strapi.log.warn(\n 'No upload security configuration found. Consider configuring plugin.upload.security for enhanced file validation.'\n );\n return filesArray.map(() => ({ isValid: true }));\n }\n\n const validationPromises = filesArray.map(async (file, index) => {\n try {\n return await validateFile(file, config, strapi);\n } catch (error) {\n strapi.log.error('Unexpected error during file validation', {\n fileIndex: index,\n fileName: file?.name || file?.originalname,\n error: error instanceof Error ? error.message : String(error),\n });\n\n return {\n isValid: false,\n error: {\n code: 'VALIDATION_ERROR' as const,\n message: `Validation failed for file at index ${index}`,\n details: {\n index,\n fileName: file?.name || file?.originalname,\n originalError: error instanceof Error ? error.message : String(error),\n },\n },\n };\n }\n });\n\n return Promise.all(validationPromises);\n}\n\nexport async function enforceUploadSecurity(\n files: any,\n strapi: Core.Strapi\n): Promise<{\n validFiles: any[];\n validFileNames: string[];\n errors: Array<ErrorDetail>;\n}> {\n const validationResults = await validateFiles(files, strapi);\n const filesArray = Array.isArray(files) ? files : [files];\n\n const validFiles: any[] = [];\n const validFileNames: string[] = [];\n const errors: Array<ErrorDetail> = [];\n\n for (const [index, result] of validationResults.entries()) {\n if (result.isValid) {\n const file = filesArray[index];\n validFiles.push(file);\n validFileNames.push(file.originalFilename || file.name);\n } else if (result.error) {\n errors.push({\n file: filesArray[index],\n originalIndex: index,\n error: result.error,\n });\n } else {\n // Handle case where validation failed but no error details are provided\n errors.push({\n file: filesArray[index],\n originalIndex: index,\n error: {\n code: 'UNKNOWN_ERROR' as const,\n message: 'File validation failed for unknown reason',\n details: {\n index,\n fileName: filesArray[index]?.name || filesArray[index]?.originalname,\n },\n },\n });\n }\n }\n\n return { validFiles, validFileNames, errors };\n}\n"],"names":["readFileChunk","filePath","chunkSize","buffer","readFile","length","subarray","detectMimeType","file","path","filepath","tempFilePath","error","Error","message","String","undefined","fileTypeFromBuffer","result","Uint8Array","mime","matchesMimePattern","mimeType","patterns","some","pattern","normalizedPattern","toLowerCase","normalizedMimeType","includes","regexPattern","replace","regex","RegExp","matches","test","exactMatch","isMimeTypeAllowed","config","allowedTypes","deniedTypes","extractFileInfo","fileName","originalFilename","name","filename","newFilename","declaredMimeType","mimetype","type","validateFile","strapi","isValid","detectedMime","mimeDetectionFailed","log","warn","mimeToValidate","code","details","reason","declaredType","detectedType","finalType","validateFiles","files","filesArray","Array","isArray","get","every","item","errors","ApplicationError","map","validationPromises","index","fileIndex","originalname","originalError","Promise","all","enforceUploadSecurity","validationResults","validFiles","validFileNames","entries","push","originalIndex"],"mappings":";;;;;AAyBA,eAAeA,aAAcC,CAAAA,QAAgB,EAAEC,SAAAA,GAAoB,IAAI,EAAA;IACrE,MAAMC,MAAAA,GAAS,MAAMC,iBAASH,CAAAA,QAAAA,CAAAA;IAC9B,OAAOE,MAAAA,CAAOE,MAAM,GAAGH,SAAAA,GAAYC,OAAOG,QAAQ,CAAC,GAAGJ,SAAaC,CAAAA,GAAAA,MAAAA;AACrE;AAEO,eAAeI,eAAeC,IAAS,EAAA;IAC5C,IAAIL,MAAAA;IAEJ,MAAMF,QAAAA,GAAWO,KAAKC,IAAI,IAAID,KAAKE,QAAQ,IAAIF,KAAKG,YAAY;AAEhE,IAAA,IAAIV,QAAU,EAAA;QACZ,IAAI;YACFE,MAAS,GAAA,MAAMH,cAAcC,QAAU,EAAA,IAAA,CAAA;AACzC,SAAA,CAAE,OAAOW,KAAO,EAAA;YACd,MAAM,IAAIC,KACR,CAAA,CAAC,qBAAqB,EAAED,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAAA,CAAOH,KAAQ,CAAA,CAAA,CAAA,CAAA;AAEpF;KACK,MAAA,IAAIJ,IAAKL,CAAAA,MAAM,EAAE;AACtBA,QAAAA,MAAAA,GAASK,IAAKL,CAAAA,MAAM,CAACE,MAAM,GAAG,IAAOG,GAAAA,IAAAA,CAAKL,MAAM,CAACG,QAAQ,CAAC,CAAG,EAAA,IAAA,CAAA,GAAQE,KAAKL,MAAM;KAC3E,MAAA;;QAEL,OAAOa,SAAAA;AACT;IAEA,IAAI;AACF;;;;AAIC,QACD,MAAM,EAAEC,kBAAkB,EAAE,GAAG,MAAM,OAAO,WAAA,CAAA;AAE5C,QAAA,MAAMC,MAAS,GAAA,MAAMD,kBAAmB,CAAA,IAAIE,UAAWhB,CAAAA,MAAAA,CAAAA,CAAAA;AACvD,QAAA,OAAOe,MAAQE,EAAAA,IAAAA;AACjB,KAAA,CAAE,OAAOR,KAAO,EAAA;QACd,MAAM,IAAIC,KACR,CAAA,CAAC,4BAA4B,EAAED,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAAA,CAAOH,KAAQ,CAAA,CAAA,CAAA,CAAA;AAE3F;AACF;AAEA,SAASS,kBAAAA,CAAmBC,QAAgB,EAAEC,QAAkB,EAAA;IAC9D,IAAI,CAACA,QAAUlB,EAAAA,MAAAA,EAAQ,OAAO,KAAA;IAE9B,OAAOkB,QAAAA,CAASC,IAAI,CAAC,CAACC,OAAAA,GAAAA;QACpB,MAAMC,iBAAAA,GAAoBD,QAAQE,WAAW,EAAA;QAC7C,MAAMC,kBAAAA,GAAqBN,SAASK,WAAW,EAAA;QAE/C,IAAID,iBAAAA,CAAkBG,QAAQ,CAAC,GAAM,CAAA,EAAA;AACnC,YAAA,MAAMC,YAAeJ,GAAAA,iBAAAA,CAAkBK,OAAO,CAAC,KAAO,EAAA,IAAA,CAAA;YAEtD,MAAMC,KAAAA,GAAQ,IAAIC,MAAO,CAAA,CAAC,CAAC,EAAEH,YAAAA,CAAa,CAAC,CAAC,CAAA;YAC5C,MAAMI,OAAAA,GAAUF,KAAMG,CAAAA,IAAI,CAACP,kBAAAA,CAAAA;YAC3B,OAAOM,OAAAA;AACT;AAEA,QAAA,MAAME,aAAaV,iBAAsBE,KAAAA,kBAAAA;QACzC,OAAOQ,UAAAA;AACT,KAAA,CAAA;AACF;AAEO,SAASC,iBAAAA,CAAkBf,QAAgB,EAAEgB,MAAsB,EAAA;AACxE,IAAA,MAAM,EAAEC,YAAY,EAAEC,WAAW,EAAE,GAAGF,MAAAA;IAEtC,IAAI,CAAChB,UAAU,OAAO,KAAA;AAEtB,IAAA,IAAIkB,WAAanC,EAAAA,MAAAA,IAAUgB,kBAAmBC,CAAAA,QAAAA,EAAUkB,WAAc,CAAA,EAAA;QACpE,OAAO,KAAA;AACT;AAEA,IAAA,IAAID,cAAclC,MAAQ,EAAA;AACxB,QAAA,OAAOgB,mBAAmBC,QAAUiB,EAAAA,YAAAA,CAAAA;AACtC;IAEA,OAAO,IAAA;AACT;AAEO,SAASE,gBAAgBjC,IAAS,EAAA;AACvC,IAAA,MAAMkC,QACJlC,GAAAA,IAAAA,CAAKmC,gBAAgB,IAAInC,IAAKoC,CAAAA,IAAI,IAAIpC,IAAAA,CAAKqC,QAAQ,IAAIrC,IAAKsC,CAAAA,WAAW,IAAI,SAAA;AAC7E,IAAA,MAAMC,gBAAmBvC,GAAAA,IAAAA,CAAKwC,QAAQ,IAAIxC,IAAKyC,CAAAA,IAAI,IAAIzC,IAAAA,CAAKc,QAAQ,IAAId,IAAKY,CAAAA,IAAI,IAAI,EAAA;IAErF,OAAO;AAAEsB,QAAAA,QAAAA;AAAUK,QAAAA;AAAiB,KAAA;AACtC;AAEO,eAAeG,YACpB1C,CAAAA,IAAS,EACT8B,MAAsB,EACtBa,MAAmB,EAAA;AAEnB,IAAA,MAAM,EAAEZ,YAAY,EAAEC,WAAW,EAAE,GAAGF,MAAAA;IAEtC,IAAI,CAACC,YAAgB,IAAA,CAACC,WAAa,EAAA;QACjC,OAAO;YAAEY,OAAS,EAAA;AAAK,SAAA;AACzB;AAEA,IAAA,MAAM,EAAEV,QAAQ,EAAEK,gBAAgB,EAAE,GAAGN,eAAgBjC,CAAAA,IAAAA,CAAAA;IAEvD,IAAI6C,YAAAA;AACJ,IAAA,IAAIC,mBAAsB,GAAA,KAAA;IAE1B,IAAI;AACFD,QAAAA,YAAAA,GAAe,MAAM9C,cAAeC,CAAAA,IAAAA,CAAAA;AACtC,KAAA,CAAE,OAAOI,KAAO,EAAA;QACd0C,mBAAsB,GAAA,IAAA;AACtBH,QAAAA,MAAAA,CAAOI,GAAG,CAACC,IAAI,CAAC,sCAAwC,EAAA;AACtDd,YAAAA,QAAAA;AACA9B,YAAAA,KAAAA,EAAOA,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAOH,CAAAA,KAAAA;AACzD,SAAA,CAAA;AACF;AAEA,IAAA,MAAM6C,iBAAiBJ,YAAgBN,IAAAA,gBAAAA;IAEvC,IACE,CAACM,iBACAN,gBAAAA,KAAqB,8BAA8B,CAACA,gBAAAA,IAAoBO,mBAAkB,CAC3F,EAAA;QACA,IAAIf,YAAAA,EAAclC,MAAUmC,IAAAA,WAAAA,EAAanC,MAAQ,EAAA;YAC/C,OAAO;gBACL+C,OAAS,EAAA,KAAA;gBACTxC,KAAO,EAAA;oBACL8C,IAAM,EAAA,uBAAA;oBACN5C,OAAS,EAAA,CAAC,4CAA4C,CAAC;oBACvD6C,OAAS,EAAA;AACPjB,wBAAAA,QAAAA;wBACAkB,MAAQ,EAAA,8CAAA;wBACRC,YAAcd,EAAAA,gBAAAA;AACdO,wBAAAA;AACF;AACF;AACF,aAAA;AACF;AACF;IAEA,IACEG,cAAAA,KACClB,YAAgBC,IAAAA,WAAU,KAC3B,CAACH,iBAAAA,CAAkBoB,gBAAgBnB,MACnC,CAAA,EAAA;QACA,OAAO;YACLc,OAAS,EAAA,KAAA;YACTxC,KAAO,EAAA;gBACL8C,IAAM,EAAA,uBAAA;AACN5C,gBAAAA,OAAAA,EAAS,CAAC,WAAW,EAAE2C,cAAAA,CAAe,gBAAgB,CAAC;gBACvDE,OAAS,EAAA;AACPjB,oBAAAA,QAAAA;oBACAoB,YAAcT,EAAAA,YAAAA;oBACdQ,YAAcd,EAAAA,gBAAAA;oBACdgB,SAAWN,EAAAA,cAAAA;AACXlB,oBAAAA,YAAAA;AACAC,oBAAAA;AACF;AACF;AACF,SAAA;AACF;IAEA,OAAO;QAAEY,OAAS,EAAA;AAAK,KAAA;AACzB;AAEO,eAAeY,aAAAA,CAAcC,KAAU,EAAEd,MAAmB,EAAA;AACjE,IAAA,MAAMe,UAAaC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,SAASA,KAAQ,GAAA;AAACA,QAAAA;AAAM,KAAA;IAEzD,IAAI,CAACC,UAAW7D,CAAAA,MAAM,EAAE;AACtB,QAAA,OAAO,EAAE;AACX;AAEA,IAAA,MAAMiC,SAAyBa,MAAOb,CAAAA,MAAM,CAAC+B,GAAG,CAAC,2BAA2B,EAAC,CAAA;IAC7E,IACE/B,MAAAA,CAAOC,YAAY,KAClB,CAAC4B,KAAMC,CAAAA,OAAO,CAAC9B,MAAAA,CAAOC,YAAY,CAAA,IACjC,CAACD,MAAOC,CAAAA,YAAY,CAAC+B,KAAK,CAAC,CAACC,IAAS,GAAA,OAAOA,IAAS,KAAA,QAAA,CAAQ,CAC/D,EAAA;QACA,MAAM,IAAIC,YAAOC,CAAAA,gBAAgB,CAC/B,kEAAA,CAAA;AAEJ;IAEA,IACEnC,MAAAA,CAAOE,WAAW,KACjB,CAAC2B,KAAMC,CAAAA,OAAO,CAAC9B,MAAAA,CAAOE,WAAW,CAAA,IAChC,CAACF,MAAOE,CAAAA,WAAW,CAAC8B,KAAK,CAAC,CAACC,IAAS,GAAA,OAAOA,IAAS,KAAA,QAAA,CAAQ,CAC9D,EAAA;QACA,MAAM,IAAIC,YAAOC,CAAAA,gBAAgB,CAC/B,iEAAA,CAAA;AAEJ;AAEA,IAAA,IAAI,CAACnC,MAAOC,CAAAA,YAAY,IAAI,CAACD,MAAAA,CAAOE,WAAW,EAAE;QAC/CW,MAAOI,CAAAA,GAAG,CAACC,IAAI,CACb,mHAAA,CAAA;AAEF,QAAA,OAAOU,UAAWQ,CAAAA,GAAG,CAAC,KAAO;gBAAEtB,OAAS,EAAA;aAAK,CAAA,CAAA;AAC/C;AAEA,IAAA,MAAMuB,kBAAqBT,GAAAA,UAAAA,CAAWQ,GAAG,CAAC,OAAOlE,IAAMoE,EAAAA,KAAAA,GAAAA;QACrD,IAAI;YACF,OAAO,MAAM1B,YAAa1C,CAAAA,IAAAA,EAAM8B,MAAQa,EAAAA,MAAAA,CAAAA;AAC1C,SAAA,CAAE,OAAOvC,KAAO,EAAA;AACduC,YAAAA,MAAAA,CAAOI,GAAG,CAAC3C,KAAK,CAAC,yCAA2C,EAAA;gBAC1DiE,SAAWD,EAAAA,KAAAA;gBACXlC,QAAUlC,EAAAA,IAAAA,EAAMoC,QAAQpC,IAAMsE,EAAAA,YAAAA;AAC9BlE,gBAAAA,KAAAA,EAAOA,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAOH,CAAAA,KAAAA;AACzD,aAAA,CAAA;YAEA,OAAO;gBACLwC,OAAS,EAAA,KAAA;gBACTxC,KAAO,EAAA;oBACL8C,IAAM,EAAA,kBAAA;oBACN5C,OAAS,EAAA,CAAC,oCAAoC,EAAE8D,KAAO,CAAA,CAAA;oBACvDjB,OAAS,EAAA;AACPiB,wBAAAA,KAAAA;wBACAlC,QAAUlC,EAAAA,IAAAA,EAAMoC,QAAQpC,IAAMsE,EAAAA,YAAAA;AAC9BC,wBAAAA,aAAAA,EAAenE,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAOH,CAAAA,KAAAA;AACjE;AACF;AACF,aAAA;AACF;AACF,KAAA,CAAA;IAEA,OAAOoE,OAAAA,CAAQC,GAAG,CAACN,kBAAAA,CAAAA;AACrB;AAEO,eAAeO,qBAAAA,CACpBjB,KAAU,EACVd,MAAmB,EAAA;IAMnB,MAAMgC,iBAAAA,GAAoB,MAAMnB,aAAAA,CAAcC,KAAOd,EAAAA,MAAAA,CAAAA;AACrD,IAAA,MAAMe,UAAaC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,SAASA,KAAQ,GAAA;AAACA,QAAAA;AAAM,KAAA;AAEzD,IAAA,MAAMmB,aAAoB,EAAE;AAC5B,IAAA,MAAMC,iBAA2B,EAAE;AACnC,IAAA,MAAMb,SAA6B,EAAE;AAErC,IAAA,KAAK,MAAM,CAACI,KAAAA,EAAO1D,OAAO,IAAIiE,iBAAAA,CAAkBG,OAAO,EAAI,CAAA;QACzD,IAAIpE,MAAAA,CAAOkC,OAAO,EAAE;YAClB,MAAM5C,IAAAA,GAAO0D,UAAU,CAACU,KAAM,CAAA;AAC9BQ,YAAAA,UAAAA,CAAWG,IAAI,CAAC/E,IAAAA,CAAAA;AAChB6E,YAAAA,cAAAA,CAAeE,IAAI,CAAC/E,IAAAA,CAAKmC,gBAAgB,IAAInC,KAAKoC,IAAI,CAAA;SACjD,MAAA,IAAI1B,MAAON,CAAAA,KAAK,EAAE;AACvB4D,YAAAA,MAAAA,CAAOe,IAAI,CAAC;gBACV/E,IAAM0D,EAAAA,UAAU,CAACU,KAAM,CAAA;gBACvBY,aAAeZ,EAAAA,KAAAA;AACfhE,gBAAAA,KAAAA,EAAOM,OAAON;AAChB,aAAA,CAAA;SACK,MAAA;;AAEL4D,YAAAA,MAAAA,CAAOe,IAAI,CAAC;gBACV/E,IAAM0D,EAAAA,UAAU,CAACU,KAAM,CAAA;gBACvBY,aAAeZ,EAAAA,KAAAA;gBACfhE,KAAO,EAAA;oBACL8C,IAAM,EAAA,eAAA;oBACN5C,OAAS,EAAA,2CAAA;oBACT6C,OAAS,EAAA;AACPiB,wBAAAA,KAAAA;wBACAlC,QAAUwB,EAAAA,UAAU,CAACU,KAAM,CAAA,EAAEhC,QAAQsB,UAAU,CAACU,MAAM,EAAEE;AAC1D;AACF;AACF,aAAA,CAAA;AACF;AACF;IAEA,OAAO;AAAEM,QAAAA,UAAAA;AAAYC,QAAAA,cAAAA;AAAgBb,QAAAA;AAAO,KAAA;AAC9C;;;;;;;;;"}

package/dist/server/utils/mime-validation.mjs ADDED Viewed

@@ -0,0 +1,215 @@
+import { readFile } from 'node:fs/promises';
+import { errors } from '@strapi/utils';
+async function readFileChunk(filePath, chunkSize = 4100) {
+    const buffer = await readFile(filePath);
+    return buffer.length > chunkSize ? buffer.subarray(0, chunkSize) : buffer;
+}
+async function detectMimeType(file) {
+    let buffer;
+    const filePath = file.path || file.filepath || file.tempFilePath;
+    if (filePath) {
+        try {
+            buffer = await readFileChunk(filePath, 4100);
+        } catch (error) {
+            throw new Error(`Failed to read file: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    } else if (file.buffer) {
+        buffer = file.buffer.length > 4100 ? file.buffer.subarray(0, 4100) : file.buffer;
+    } else {
+        // No file data available
+        return undefined;
+    }
+    try {
+        /**
+     * Use dynamic import to support file-type which is ESM-only
+     * Static imports fail during CommonJS build since bundler can't transform ESM-only packages
+     * @see https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c
+     */ const { fileTypeFromBuffer } = await import('file-type');
+        const result = await fileTypeFromBuffer(new Uint8Array(buffer));
+        return result?.mime;
+    } catch (error) {
+        throw new Error(`Failed to detect MIME type: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function matchesMimePattern(mimeType, patterns) {
+    if (!patterns?.length) return false;
+    return patterns.some((pattern)=>{
+        const normalizedPattern = pattern.toLowerCase();
+        const normalizedMimeType = mimeType.toLowerCase();
+        if (normalizedPattern.includes('*')) {
+            const regexPattern = normalizedPattern.replace(/\*/g, '.*');
+            const regex = new RegExp(`^${regexPattern}$`);
+            const matches = regex.test(normalizedMimeType);
+            return matches;
+        }
+        const exactMatch = normalizedPattern === normalizedMimeType;
+        return exactMatch;
+    });
+}
+function isMimeTypeAllowed(mimeType, config) {
+    const { allowedTypes, deniedTypes } = config;
+    if (!mimeType) return false;
+    if (deniedTypes?.length && matchesMimePattern(mimeType, deniedTypes)) {
+        return false;
+    }
+    if (allowedTypes?.length) {
+        return matchesMimePattern(mimeType, allowedTypes);
+    }
+    return true;
+}
+function extractFileInfo(file) {
+    const fileName = file.originalFilename || file.name || file.filename || file.newFilename || 'unknown';
+    const declaredMimeType = file.mimetype || file.type || file.mimeType || file.mime || '';
+    return {
+        fileName,
+        declaredMimeType
+    };
+}
+async function validateFile(file, config, strapi) {
+    const { allowedTypes, deniedTypes } = config;
+    if (!allowedTypes && !deniedTypes) {
+        return {
+            isValid: true
+        };
+    }
+    const { fileName, declaredMimeType } = extractFileInfo(file);
+    let detectedMime;
+    let mimeDetectionFailed = false;
+    try {
+        detectedMime = await detectMimeType(file);
+    } catch (error) {
+        mimeDetectionFailed = true;
+        strapi.log.warn('Failed to detect MIME type from file', {
+            fileName,
+            error: error instanceof Error ? error.message : String(error)
+        });
+    }
+    const mimeToValidate = detectedMime || declaredMimeType;
+    if (!detectedMime && (declaredMimeType === 'application/octet-stream' || !declaredMimeType || mimeDetectionFailed)) {
+        if (allowedTypes?.length || deniedTypes?.length) {
+            return {
+                isValid: false,
+                error: {
+                    code: 'MIME_TYPE_NOT_ALLOWED',
+                    message: `Cannot verify file type for security reasons`,
+                    details: {
+                        fileName,
+                        reason: 'Unable to detect MIME type from file content',
+                        declaredType: declaredMimeType,
+                        mimeDetectionFailed
+                    }
+                }
+            };
+        }
+    }
+    if (mimeToValidate && (allowedTypes || deniedTypes) && !isMimeTypeAllowed(mimeToValidate, config)) {
+        return {
+            isValid: false,
+            error: {
+                code: 'MIME_TYPE_NOT_ALLOWED',
+                message: `File type '${mimeToValidate}' is not allowed`,
+                details: {
+                    fileName,
+                    detectedType: detectedMime,
+                    declaredType: declaredMimeType,
+                    finalType: mimeToValidate,
+                    allowedTypes,
+                    deniedTypes
+                }
+            }
+        };
+    }
+    return {
+        isValid: true
+    };
+}
+async function validateFiles(files, strapi) {
+    const filesArray = Array.isArray(files) ? files : [
+        files
+    ];
+    if (!filesArray.length) {
+        return [];
+    }
+    const config = strapi.config.get('plugin::upload.security', {});
+    if (config.allowedTypes && (!Array.isArray(config.allowedTypes) || !config.allowedTypes.every((item)=>typeof item === 'string'))) {
+        throw new errors.ApplicationError('Invalid configuration: allowedTypes must be an array of strings.');
+    }
+    if (config.deniedTypes && (!Array.isArray(config.deniedTypes) || !config.deniedTypes.every((item)=>typeof item === 'string'))) {
+        throw new errors.ApplicationError('Invalid configuration: deniedTypes must be an array of strings.');
+    }
+    if (!config.allowedTypes && !config.deniedTypes) {
+        strapi.log.warn('No upload security configuration found. Consider configuring plugin.upload.security for enhanced file validation.');
+        return filesArray.map(()=>({
+                isValid: true
+            }));
+    }
+    const validationPromises = filesArray.map(async (file, index)=>{
+        try {
+            return await validateFile(file, config, strapi);
+        } catch (error) {
+            strapi.log.error('Unexpected error during file validation', {
+                fileIndex: index,
+                fileName: file?.name || file?.originalname,
+                error: error instanceof Error ? error.message : String(error)
+            });
+            return {
+                isValid: false,
+                error: {
+                    code: 'VALIDATION_ERROR',
+                    message: `Validation failed for file at index ${index}`,
+                    details: {
+                        index,
+                        fileName: file?.name || file?.originalname,
+                        originalError: error instanceof Error ? error.message : String(error)
+                    }
+                }
+            };
+        }
+    });
+    return Promise.all(validationPromises);
+}
+async function enforceUploadSecurity(files, strapi) {
+    const validationResults = await validateFiles(files, strapi);
+    const filesArray = Array.isArray(files) ? files : [
+        files
+    ];
+    const validFiles = [];
+    const validFileNames = [];
+    const errors = [];
+    for (const [index, result] of validationResults.entries()){
+        if (result.isValid) {
+            const file = filesArray[index];
+            validFiles.push(file);
+            validFileNames.push(file.originalFilename || file.name);
+        } else if (result.error) {
+            errors.push({
+                file: filesArray[index],
+                originalIndex: index,
+                error: result.error
+            });
+        } else {
+            // Handle case where validation failed but no error details are provided
+            errors.push({
+                file: filesArray[index],
+                originalIndex: index,
+                error: {
+                    code: 'UNKNOWN_ERROR',
+                    message: 'File validation failed for unknown reason',
+                    details: {
+                        index,
+                        fileName: filesArray[index]?.name || filesArray[index]?.originalname
+                    }
+                }
+            });
+        }
+    }
+    return {
+        validFiles,
+        validFileNames,
+        errors
+    };
+}
+export { detectMimeType, enforceUploadSecurity, extractFileInfo, isMimeTypeAllowed, validateFile, validateFiles };
+//# sourceMappingURL=mime-validation.mjs.map

package/dist/server/utils/mime-validation.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"mime-validation.mjs","sources":["../../../server/src/utils/mime-validation.ts"],"sourcesContent":["import { readFile } from 'node:fs/promises';\nimport type { Core } from '@strapi/types';\nimport { errors } from '@strapi/utils';\n\nexport type SecurityConfig = {\n allowedTypes?: string[];\n deniedTypes?: string[];\n};\ntype UploadValidationError = {\n code: 'MIME_TYPE_NOT_ALLOWED' | 'VALIDATION_ERROR' | 'UNKNOWN_ERROR';\n message: string;\n details: Record<string, any>;\n};\n\ntype ValidationResult = {\n isValid: boolean;\n error?: UploadValidationError;\n};\n\ntype ErrorDetail = {\n file: any;\n originalIndex: number;\n error: UploadValidationError;\n};\n\nasync function readFileChunk(filePath: string, chunkSize: number = 4100): Promise<Buffer> {\n const buffer = await readFile(filePath);\n return buffer.length > chunkSize ? buffer.subarray(0, chunkSize) : buffer;\n}\n\nexport async function detectMimeType(file: any): Promise<string | undefined> {\n let buffer: Buffer;\n\n const filePath = file.path || file.filepath || file.tempFilePath;\n\n if (filePath) {\n try {\n buffer = await readFileChunk(filePath, 4100);\n } catch (error) {\n throw new Error(\n `Failed to read file: ${error instanceof Error ? error.message : String(error)}`\n );\n }\n } else if (file.buffer) {\n buffer = file.buffer.length > 4100 ? file.buffer.subarray(0, 4100) : file.buffer;\n } else {\n // No file data available\n return undefined;\n }\n\n try {\n /**\n * Use dynamic import to support file-type which is ESM-only\n * Static imports fail during CommonJS build since bundler can't transform ESM-only packages\n * @see https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c\n */\n const { fileTypeFromBuffer } = await import('file-type');\n\n const result = await fileTypeFromBuffer(new Uint8Array(buffer));\n return result?.mime;\n } catch (error) {\n throw new Error(\n `Failed to detect MIME type: ${error instanceof Error ? error.message : String(error)}`\n );\n }\n}\n\nfunction matchesMimePattern(mimeType: string, patterns: string[]): boolean {\n if (!patterns?.length) return false;\n\n return patterns.some((pattern) => {\n const normalizedPattern = pattern.toLowerCase();\n const normalizedMimeType = mimeType.toLowerCase();\n\n if (normalizedPattern.includes('*')) {\n const regexPattern = normalizedPattern.replace(/\\*/g, '.*');\n\n const regex = new RegExp(`^${regexPattern}$`);\n const matches = regex.test(normalizedMimeType);\n return matches;\n }\n\n const exactMatch = normalizedPattern === normalizedMimeType;\n return exactMatch;\n });\n}\n\nexport function isMimeTypeAllowed(mimeType: string, config: SecurityConfig): boolean {\n const { allowedTypes, deniedTypes } = config;\n\n if (!mimeType) return false;\n\n if (deniedTypes?.length && matchesMimePattern(mimeType, deniedTypes)) {\n return false;\n }\n\n if (allowedTypes?.length) {\n return matchesMimePattern(mimeType, allowedTypes);\n }\n\n return true;\n}\n\nexport function extractFileInfo(file: any) {\n const fileName =\n file.originalFilename || file.name || file.filename || file.newFilename || 'unknown';\n const declaredMimeType = file.mimetype || file.type || file.mimeType || file.mime || '';\n\n return { fileName, declaredMimeType };\n}\n\nexport async function validateFile(\n file: any,\n config: SecurityConfig,\n strapi: Core.Strapi\n): Promise<ValidationResult> {\n const { allowedTypes, deniedTypes } = config;\n\n if (!allowedTypes && !deniedTypes) {\n return { isValid: true };\n }\n\n const { fileName, declaredMimeType } = extractFileInfo(file);\n\n let detectedMime: string | undefined;\n let mimeDetectionFailed = false;\n\n try {\n detectedMime = await detectMimeType(file);\n } catch (error) {\n mimeDetectionFailed = true;\n strapi.log.warn('Failed to detect MIME type from file', {\n fileName,\n error: error instanceof Error ? error.message : String(error),\n });\n }\n\n const mimeToValidate = detectedMime || declaredMimeType;\n\n if (\n !detectedMime &&\n (declaredMimeType === 'application/octet-stream' || !declaredMimeType || mimeDetectionFailed)\n ) {\n if (allowedTypes?.length || deniedTypes?.length) {\n return {\n isValid: false,\n error: {\n code: 'MIME_TYPE_NOT_ALLOWED',\n message: `Cannot verify file type for security reasons`,\n details: {\n fileName,\n reason: 'Unable to detect MIME type from file content',\n declaredType: declaredMimeType,\n mimeDetectionFailed,\n },\n },\n };\n }\n }\n\n if (\n mimeToValidate &&\n (allowedTypes || deniedTypes) &&\n !isMimeTypeAllowed(mimeToValidate, config)\n ) {\n return {\n isValid: false,\n error: {\n code: 'MIME_TYPE_NOT_ALLOWED',\n message: `File type '${mimeToValidate}' is not allowed`,\n details: {\n fileName,\n detectedType: detectedMime,\n declaredType: declaredMimeType,\n finalType: mimeToValidate,\n allowedTypes,\n deniedTypes,\n },\n },\n };\n }\n\n return { isValid: true };\n}\n\nexport async function validateFiles(files: any, strapi: Core.Strapi): Promise<ValidationResult[]> {\n const filesArray = Array.isArray(files) ? files : [files];\n\n if (!filesArray.length) {\n return [];\n }\n\n const config: SecurityConfig = strapi.config.get('plugin::upload.security', {});\n if (\n config.allowedTypes &&\n (!Array.isArray(config.allowedTypes) ||\n !config.allowedTypes.every((item) => typeof item === 'string'))\n ) {\n throw new errors.ApplicationError(\n 'Invalid configuration: allowedTypes must be an array of strings.'\n );\n }\n\n if (\n config.deniedTypes &&\n (!Array.isArray(config.deniedTypes) ||\n !config.deniedTypes.every((item) => typeof item === 'string'))\n ) {\n throw new errors.ApplicationError(\n 'Invalid configuration: deniedTypes must be an array of strings.'\n );\n }\n\n if (!config.allowedTypes && !config.deniedTypes) {\n strapi.log.warn(\n 'No upload security configuration found. Consider configuring plugin.upload.security for enhanced file validation.'\n );\n return filesArray.map(() => ({ isValid: true }));\n }\n\n const validationPromises = filesArray.map(async (file, index) => {\n try {\n return await validateFile(file, config, strapi);\n } catch (error) {\n strapi.log.error('Unexpected error during file validation', {\n fileIndex: index,\n fileName: file?.name || file?.originalname,\n error: error instanceof Error ? error.message : String(error),\n });\n\n return {\n isValid: false,\n error: {\n code: 'VALIDATION_ERROR' as const,\n message: `Validation failed for file at index ${index}`,\n details: {\n index,\n fileName: file?.name || file?.originalname,\n originalError: error instanceof Error ? error.message : String(error),\n },\n },\n };\n }\n });\n\n return Promise.all(validationPromises);\n}\n\nexport async function enforceUploadSecurity(\n files: any,\n strapi: Core.Strapi\n): Promise<{\n validFiles: any[];\n validFileNames: string[];\n errors: Array<ErrorDetail>;\n}> {\n const validationResults = await validateFiles(files, strapi);\n const filesArray = Array.isArray(files) ? files : [files];\n\n const validFiles: any[] = [];\n const validFileNames: string[] = [];\n const errors: Array<ErrorDetail> = [];\n\n for (const [index, result] of validationResults.entries()) {\n if (result.isValid) {\n const file = filesArray[index];\n validFiles.push(file);\n validFileNames.push(file.originalFilename || file.name);\n } else if (result.error) {\n errors.push({\n file: filesArray[index],\n originalIndex: index,\n error: result.error,\n });\n } else {\n // Handle case where validation failed but no error details are provided\n errors.push({\n file: filesArray[index],\n originalIndex: index,\n error: {\n code: 'UNKNOWN_ERROR' as const,\n message: 'File validation failed for unknown reason',\n details: {\n index,\n fileName: filesArray[index]?.name || filesArray[index]?.originalname,\n },\n },\n });\n }\n }\n\n return { validFiles, validFileNames, errors };\n}\n"],"names":["readFileChunk","filePath","chunkSize","buffer","readFile","length","subarray","detectMimeType","file","path","filepath","tempFilePath","error","Error","message","String","undefined","fileTypeFromBuffer","result","Uint8Array","mime","matchesMimePattern","mimeType","patterns","some","pattern","normalizedPattern","toLowerCase","normalizedMimeType","includes","regexPattern","replace","regex","RegExp","matches","test","exactMatch","isMimeTypeAllowed","config","allowedTypes","deniedTypes","extractFileInfo","fileName","originalFilename","name","filename","newFilename","declaredMimeType","mimetype","type","validateFile","strapi","isValid","detectedMime","mimeDetectionFailed","log","warn","mimeToValidate","code","details","reason","declaredType","detectedType","finalType","validateFiles","files","filesArray","Array","isArray","get","every","item","errors","ApplicationError","map","validationPromises","index","fileIndex","originalname","originalError","Promise","all","enforceUploadSecurity","validationResults","validFiles","validFileNames","entries","push","originalIndex"],"mappings":";;;AAyBA,eAAeA,aAAcC,CAAAA,QAAgB,EAAEC,SAAAA,GAAoB,IAAI,EAAA;IACrE,MAAMC,MAAAA,GAAS,MAAMC,QAASH,CAAAA,QAAAA,CAAAA;IAC9B,OAAOE,MAAAA,CAAOE,MAAM,GAAGH,SAAAA,GAAYC,OAAOG,QAAQ,CAAC,GAAGJ,SAAaC,CAAAA,GAAAA,MAAAA;AACrE;AAEO,eAAeI,eAAeC,IAAS,EAAA;IAC5C,IAAIL,MAAAA;IAEJ,MAAMF,QAAAA,GAAWO,KAAKC,IAAI,IAAID,KAAKE,QAAQ,IAAIF,KAAKG,YAAY;AAEhE,IAAA,IAAIV,QAAU,EAAA;QACZ,IAAI;YACFE,MAAS,GAAA,MAAMH,cAAcC,QAAU,EAAA,IAAA,CAAA;AACzC,SAAA,CAAE,OAAOW,KAAO,EAAA;YACd,MAAM,IAAIC,KACR,CAAA,CAAC,qBAAqB,EAAED,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAAA,CAAOH,KAAQ,CAAA,CAAA,CAAA,CAAA;AAEpF;KACK,MAAA,IAAIJ,IAAKL,CAAAA,MAAM,EAAE;AACtBA,QAAAA,MAAAA,GAASK,IAAKL,CAAAA,MAAM,CAACE,MAAM,GAAG,IAAOG,GAAAA,IAAAA,CAAKL,MAAM,CAACG,QAAQ,CAAC,CAAG,EAAA,IAAA,CAAA,GAAQE,KAAKL,MAAM;KAC3E,MAAA;;QAEL,OAAOa,SAAAA;AACT;IAEA,IAAI;AACF;;;;AAIC,QACD,MAAM,EAAEC,kBAAkB,EAAE,GAAG,MAAM,OAAO,WAAA,CAAA;AAE5C,QAAA,MAAMC,MAAS,GAAA,MAAMD,kBAAmB,CAAA,IAAIE,UAAWhB,CAAAA,MAAAA,CAAAA,CAAAA;AACvD,QAAA,OAAOe,MAAQE,EAAAA,IAAAA;AACjB,KAAA,CAAE,OAAOR,KAAO,EAAA;QACd,MAAM,IAAIC,KACR,CAAA,CAAC,4BAA4B,EAAED,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAAA,CAAOH,KAAQ,CAAA,CAAA,CAAA,CAAA;AAE3F;AACF;AAEA,SAASS,kBAAAA,CAAmBC,QAAgB,EAAEC,QAAkB,EAAA;IAC9D,IAAI,CAACA,QAAUlB,EAAAA,MAAAA,EAAQ,OAAO,KAAA;IAE9B,OAAOkB,QAAAA,CAASC,IAAI,CAAC,CAACC,OAAAA,GAAAA;QACpB,MAAMC,iBAAAA,GAAoBD,QAAQE,WAAW,EAAA;QAC7C,MAAMC,kBAAAA,GAAqBN,SAASK,WAAW,EAAA;QAE/C,IAAID,iBAAAA,CAAkBG,QAAQ,CAAC,GAAM,CAAA,EAAA;AACnC,YAAA,MAAMC,YAAeJ,GAAAA,iBAAAA,CAAkBK,OAAO,CAAC,KAAO,EAAA,IAAA,CAAA;YAEtD,MAAMC,KAAAA,GAAQ,IAAIC,MAAO,CAAA,CAAC,CAAC,EAAEH,YAAAA,CAAa,CAAC,CAAC,CAAA;YAC5C,MAAMI,OAAAA,GAAUF,KAAMG,CAAAA,IAAI,CAACP,kBAAAA,CAAAA;YAC3B,OAAOM,OAAAA;AACT;AAEA,QAAA,MAAME,aAAaV,iBAAsBE,KAAAA,kBAAAA;QACzC,OAAOQ,UAAAA;AACT,KAAA,CAAA;AACF;AAEO,SAASC,iBAAAA,CAAkBf,QAAgB,EAAEgB,MAAsB,EAAA;AACxE,IAAA,MAAM,EAAEC,YAAY,EAAEC,WAAW,EAAE,GAAGF,MAAAA;IAEtC,IAAI,CAAChB,UAAU,OAAO,KAAA;AAEtB,IAAA,IAAIkB,WAAanC,EAAAA,MAAAA,IAAUgB,kBAAmBC,CAAAA,QAAAA,EAAUkB,WAAc,CAAA,EAAA;QACpE,OAAO,KAAA;AACT;AAEA,IAAA,IAAID,cAAclC,MAAQ,EAAA;AACxB,QAAA,OAAOgB,mBAAmBC,QAAUiB,EAAAA,YAAAA,CAAAA;AACtC;IAEA,OAAO,IAAA;AACT;AAEO,SAASE,gBAAgBjC,IAAS,EAAA;AACvC,IAAA,MAAMkC,QACJlC,GAAAA,IAAAA,CAAKmC,gBAAgB,IAAInC,IAAKoC,CAAAA,IAAI,IAAIpC,IAAAA,CAAKqC,QAAQ,IAAIrC,IAAKsC,CAAAA,WAAW,IAAI,SAAA;AAC7E,IAAA,MAAMC,gBAAmBvC,GAAAA,IAAAA,CAAKwC,QAAQ,IAAIxC,IAAKyC,CAAAA,IAAI,IAAIzC,IAAAA,CAAKc,QAAQ,IAAId,IAAKY,CAAAA,IAAI,IAAI,EAAA;IAErF,OAAO;AAAEsB,QAAAA,QAAAA;AAAUK,QAAAA;AAAiB,KAAA;AACtC;AAEO,eAAeG,YACpB1C,CAAAA,IAAS,EACT8B,MAAsB,EACtBa,MAAmB,EAAA;AAEnB,IAAA,MAAM,EAAEZ,YAAY,EAAEC,WAAW,EAAE,GAAGF,MAAAA;IAEtC,IAAI,CAACC,YAAgB,IAAA,CAACC,WAAa,EAAA;QACjC,OAAO;YAAEY,OAAS,EAAA;AAAK,SAAA;AACzB;AAEA,IAAA,MAAM,EAAEV,QAAQ,EAAEK,gBAAgB,EAAE,GAAGN,eAAgBjC,CAAAA,IAAAA,CAAAA;IAEvD,IAAI6C,YAAAA;AACJ,IAAA,IAAIC,mBAAsB,GAAA,KAAA;IAE1B,IAAI;AACFD,QAAAA,YAAAA,GAAe,MAAM9C,cAAeC,CAAAA,IAAAA,CAAAA;AACtC,KAAA,CAAE,OAAOI,KAAO,EAAA;QACd0C,mBAAsB,GAAA,IAAA;AACtBH,QAAAA,MAAAA,CAAOI,GAAG,CAACC,IAAI,CAAC,sCAAwC,EAAA;AACtDd,YAAAA,QAAAA;AACA9B,YAAAA,KAAAA,EAAOA,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAOH,CAAAA,KAAAA;AACzD,SAAA,CAAA;AACF;AAEA,IAAA,MAAM6C,iBAAiBJ,YAAgBN,IAAAA,gBAAAA;IAEvC,IACE,CAACM,iBACAN,gBAAAA,KAAqB,8BAA8B,CAACA,gBAAAA,IAAoBO,mBAAkB,CAC3F,EAAA;QACA,IAAIf,YAAAA,EAAclC,MAAUmC,IAAAA,WAAAA,EAAanC,MAAQ,EAAA;YAC/C,OAAO;gBACL+C,OAAS,EAAA,KAAA;gBACTxC,KAAO,EAAA;oBACL8C,IAAM,EAAA,uBAAA;oBACN5C,OAAS,EAAA,CAAC,4CAA4C,CAAC;oBACvD6C,OAAS,EAAA;AACPjB,wBAAAA,QAAAA;wBACAkB,MAAQ,EAAA,8CAAA;wBACRC,YAAcd,EAAAA,gBAAAA;AACdO,wBAAAA;AACF;AACF;AACF,aAAA;AACF;AACF;IAEA,IACEG,cAAAA,KACClB,YAAgBC,IAAAA,WAAU,KAC3B,CAACH,iBAAAA,CAAkBoB,gBAAgBnB,MACnC,CAAA,EAAA;QACA,OAAO;YACLc,OAAS,EAAA,KAAA;YACTxC,KAAO,EAAA;gBACL8C,IAAM,EAAA,uBAAA;AACN5C,gBAAAA,OAAAA,EAAS,CAAC,WAAW,EAAE2C,cAAAA,CAAe,gBAAgB,CAAC;gBACvDE,OAAS,EAAA;AACPjB,oBAAAA,QAAAA;oBACAoB,YAAcT,EAAAA,YAAAA;oBACdQ,YAAcd,EAAAA,gBAAAA;oBACdgB,SAAWN,EAAAA,cAAAA;AACXlB,oBAAAA,YAAAA;AACAC,oBAAAA;AACF;AACF;AACF,SAAA;AACF;IAEA,OAAO;QAAEY,OAAS,EAAA;AAAK,KAAA;AACzB;AAEO,eAAeY,aAAAA,CAAcC,KAAU,EAAEd,MAAmB,EAAA;AACjE,IAAA,MAAMe,UAAaC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,SAASA,KAAQ,GAAA;AAACA,QAAAA;AAAM,KAAA;IAEzD,IAAI,CAACC,UAAW7D,CAAAA,MAAM,EAAE;AACtB,QAAA,OAAO,EAAE;AACX;AAEA,IAAA,MAAMiC,SAAyBa,MAAOb,CAAAA,MAAM,CAAC+B,GAAG,CAAC,2BAA2B,EAAC,CAAA;IAC7E,IACE/B,MAAAA,CAAOC,YAAY,KAClB,CAAC4B,KAAMC,CAAAA,OAAO,CAAC9B,MAAAA,CAAOC,YAAY,CAAA,IACjC,CAACD,MAAOC,CAAAA,YAAY,CAAC+B,KAAK,CAAC,CAACC,IAAS,GAAA,OAAOA,IAAS,KAAA,QAAA,CAAQ,CAC/D,EAAA;QACA,MAAM,IAAIC,MAAOC,CAAAA,gBAAgB,CAC/B,kEAAA,CAAA;AAEJ;IAEA,IACEnC,MAAAA,CAAOE,WAAW,KACjB,CAAC2B,KAAMC,CAAAA,OAAO,CAAC9B,MAAAA,CAAOE,WAAW,CAAA,IAChC,CAACF,MAAOE,CAAAA,WAAW,CAAC8B,KAAK,CAAC,CAACC,IAAS,GAAA,OAAOA,IAAS,KAAA,QAAA,CAAQ,CAC9D,EAAA;QACA,MAAM,IAAIC,MAAOC,CAAAA,gBAAgB,CAC/B,iEAAA,CAAA;AAEJ;AAEA,IAAA,IAAI,CAACnC,MAAOC,CAAAA,YAAY,IAAI,CAACD,MAAAA,CAAOE,WAAW,EAAE;QAC/CW,MAAOI,CAAAA,GAAG,CAACC,IAAI,CACb,mHAAA,CAAA;AAEF,QAAA,OAAOU,UAAWQ,CAAAA,GAAG,CAAC,KAAO;gBAAEtB,OAAS,EAAA;aAAK,CAAA,CAAA;AAC/C;AAEA,IAAA,MAAMuB,kBAAqBT,GAAAA,UAAAA,CAAWQ,GAAG,CAAC,OAAOlE,IAAMoE,EAAAA,KAAAA,GAAAA;QACrD,IAAI;YACF,OAAO,MAAM1B,YAAa1C,CAAAA,IAAAA,EAAM8B,MAAQa,EAAAA,MAAAA,CAAAA;AAC1C,SAAA,CAAE,OAAOvC,KAAO,EAAA;AACduC,YAAAA,MAAAA,CAAOI,GAAG,CAAC3C,KAAK,CAAC,yCAA2C,EAAA;gBAC1DiE,SAAWD,EAAAA,KAAAA;gBACXlC,QAAUlC,EAAAA,IAAAA,EAAMoC,QAAQpC,IAAMsE,EAAAA,YAAAA;AAC9BlE,gBAAAA,KAAAA,EAAOA,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAOH,CAAAA,KAAAA;AACzD,aAAA,CAAA;YAEA,OAAO;gBACLwC,OAAS,EAAA,KAAA;gBACTxC,KAAO,EAAA;oBACL8C,IAAM,EAAA,kBAAA;oBACN5C,OAAS,EAAA,CAAC,oCAAoC,EAAE8D,KAAO,CAAA,CAAA;oBACvDjB,OAAS,EAAA;AACPiB,wBAAAA,KAAAA;wBACAlC,QAAUlC,EAAAA,IAAAA,EAAMoC,QAAQpC,IAAMsE,EAAAA,YAAAA;AAC9BC,wBAAAA,aAAAA,EAAenE,KAAiBC,YAAAA,KAAAA,GAAQD,KAAME,CAAAA,OAAO,GAAGC,MAAOH,CAAAA,KAAAA;AACjE;AACF;AACF,aAAA;AACF;AACF,KAAA,CAAA;IAEA,OAAOoE,OAAAA,CAAQC,GAAG,CAACN,kBAAAA,CAAAA;AACrB;AAEO,eAAeO,qBAAAA,CACpBjB,KAAU,EACVd,MAAmB,EAAA;IAMnB,MAAMgC,iBAAAA,GAAoB,MAAMnB,aAAAA,CAAcC,KAAOd,EAAAA,MAAAA,CAAAA;AACrD,IAAA,MAAMe,UAAaC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,SAASA,KAAQ,GAAA;AAACA,QAAAA;AAAM,KAAA;AAEzD,IAAA,MAAMmB,aAAoB,EAAE;AAC5B,IAAA,MAAMC,iBAA2B,EAAE;AACnC,IAAA,MAAMb,SAA6B,EAAE;AAErC,IAAA,KAAK,MAAM,CAACI,KAAAA,EAAO1D,OAAO,IAAIiE,iBAAAA,CAAkBG,OAAO,EAAI,CAAA;QACzD,IAAIpE,MAAAA,CAAOkC,OAAO,EAAE;YAClB,MAAM5C,IAAAA,GAAO0D,UAAU,CAACU,KAAM,CAAA;AAC9BQ,YAAAA,UAAAA,CAAWG,IAAI,CAAC/E,IAAAA,CAAAA;AAChB6E,YAAAA,cAAAA,CAAeE,IAAI,CAAC/E,IAAAA,CAAKmC,gBAAgB,IAAInC,KAAKoC,IAAI,CAAA;SACjD,MAAA,IAAI1B,MAAON,CAAAA,KAAK,EAAE;AACvB4D,YAAAA,MAAAA,CAAOe,IAAI,CAAC;gBACV/E,IAAM0D,EAAAA,UAAU,CAACU,KAAM,CAAA;gBACvBY,aAAeZ,EAAAA,KAAAA;AACfhE,gBAAAA,KAAAA,EAAOM,OAAON;AAChB,aAAA,CAAA;SACK,MAAA;;AAEL4D,YAAAA,MAAAA,CAAOe,IAAI,CAAC;gBACV/E,IAAM0D,EAAAA,UAAU,CAACU,KAAM,CAAA;gBACvBY,aAAeZ,EAAAA,KAAAA;gBACfhE,KAAO,EAAA;oBACL8C,IAAM,EAAA,eAAA;oBACN5C,OAAS,EAAA,2CAAA;oBACT6C,OAAS,EAAA;AACPiB,wBAAAA,KAAAA;wBACAlC,QAAUwB,EAAAA,UAAU,CAACU,KAAM,CAAA,EAAEhC,QAAQsB,UAAU,CAACU,MAAM,EAAEE;AAC1D;AACF;AACF,aAAA,CAAA;AACF;AACF;IAEA,OAAO;AAAEM,QAAAA,UAAAA;AAAYC,QAAAA,cAAAA;AAAgBb,QAAAA;AAAO,KAAA;AAC9C;;;;"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/upload",
-  "version": "5.30.1",
+  "version": "5.31.1",
   "description": "Makes it easy to upload images and files to your Strapi Application.",
   "license": "SEE LICENSE IN LICENSE",
   "author": {
@@ -64,11 +64,12 @@
     "@reduxjs/toolkit": "1.9.7",
     "@strapi/design-system": "2.0.0-rc.30",
     "@strapi/icons": "2.0.0-rc.30",
-    "@strapi/provider-upload-local": "5.30.1",
-    "@strapi/utils": "5.30.1",
+    "@strapi/provider-upload-local": "5.31.1",
+    "@strapi/utils": "5.31.1",
     "byte-size": "8.1.1",
     "cropperjs": "1.6.1",
     "date-fns": "2.30.0",
+    "file-type": "21.0.0",
     "formik": "2.4.5",
     "fs-extra": "11.2.0",
     "immer": "9.0.21",
@@ -88,8 +89,8 @@
     "zod": "3.25.67"
   },
   "devDependencies": {
-    "@strapi/admin": "5.30.1",
-    "@strapi/types": "5.30.1",
+    "@strapi/admin": "5.31.1",
+    "@strapi/types": "5.31.1",
     "@testing-library/dom": "10.1.0",
     "@testing-library/react": "15.0.7",
     "@testing-library/user-event": "14.5.2",
@@ -115,7 +116,7 @@
     "styled-components": "^6.0.0"
   },
   "engines": {
-    "node": ">=18.0.0 <=22.x.x",
+    "node": ">=20.0.0 <=24.x.x",
     "npm": ">=6.0.0"
   },
   "strapi": {