file-type 21.3.2 → 21.3.3

package/core.js

@@ -20,18 +20,22 @@ const maximumZipEntrySizeInBytes = 1024 * 1024;
 const maximumZipEntryCount = 1024;
 const maximumZipBufferedReadSizeInBytes = (2 ** 31) - 1;
 const maximumUntrustedSkipSizeInBytes = 16 * 1024 * 1024;
+const maximumUnknownSizePayloadProbeSizeInBytes = maximumZipEntrySizeInBytes;
 const maximumZipTextEntrySizeInBytes = maximumZipEntrySizeInBytes;
 const maximumNestedGzipDetectionSizeInBytes = maximumUntrustedSkipSizeInBytes;
 const maximumNestedGzipProbeDepth = 1;
 const maximumId3HeaderSizeInBytes = maximumUntrustedSkipSizeInBytes;
 const maximumEbmlDocumentTypeSizeInBytes = 64;
-const maximumEbmlElementPayloadSizeInBytes = maximumUntrustedSkipSizeInBytes;
+const maximumEbmlElementPayloadSizeInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
 const maximumEbmlElementCount = 256;
 const maximumPngChunkCount = 512;
+const maximumPngStreamScanBudgetInBytes = maximumUntrustedSkipSizeInBytes;
 const maximumAsfHeaderObjectCount = 512;
 const maximumTiffTagCount = 512;
 const maximumDetectionReentryCount = 256;
-const maximumPngChunkSizeInBytes = maximumUntrustedSkipSizeInBytes;
+const maximumPngChunkSizeInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
+const maximumAsfHeaderPayloadSizeInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
+const maximumTiffStreamIfdOffsetInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
 const maximumTiffIfdOffsetInBytes = maximumUntrustedSkipSizeInBytes;
 const recoverableZipErrorMessages = new Set([
 	'Unexpected signature',
@@ -141,6 +145,10 @@ function findZipDataDescriptorOffset(buffer, bytesConsumed) {
 	return -1;
 }
 
+function isPngAncillaryChunk(type) {
+	return (type.codePointAt(0) & 0x20) !== 0;
+}
+
 function mergeByteChunks(chunks, totalLength) {
 	const merged = new Uint8Array(totalLength);
 	let offset = 0;
@@ -193,6 +201,10 @@ async function readZipDataDescriptorEntryWithLimit(zipHandler, {shouldBuffer, ma
 		}
 	}
 
+	if (!hasUnknownFileSize(zipHandler.tokenizer)) {
+		zipHandler.knownSizeDescriptorScannedBytes += bytesConsumed;
+	}
+
 	if (!shouldBuffer) {
 		return;
 	}
@@ -200,16 +212,30 @@ async function readZipDataDescriptorEntryWithLimit(zipHandler, {shouldBuffer, ma
 	return mergeByteChunks(chunks, bytesConsumed);
 }
 
-async function readZipEntryData(zipHandler, zipHeader, {shouldBuffer} = {}) {
+function getRemainingZipScanBudget(zipHandler, startOffset) {
+	if (hasUnknownFileSize(zipHandler.tokenizer)) {
+		return Math.max(0, maximumUntrustedSkipSizeInBytes - (zipHandler.tokenizer.position - startOffset));
+	}
+
+	return Math.max(0, maximumZipEntrySizeInBytes - zipHandler.knownSizeDescriptorScannedBytes);
+}
+
+async function readZipEntryData(zipHandler, zipHeader, {shouldBuffer, maximumDescriptorLength = maximumZipEntrySizeInBytes} = {}) {
 	if (
 		zipHeader.dataDescriptor
 		&& zipHeader.compressedSize === 0
 	) {
-		return readZipDataDescriptorEntryWithLimit(zipHandler, {shouldBuffer});
+		return readZipDataDescriptorEntryWithLimit(zipHandler, {
+			shouldBuffer,
+			maximumLength: maximumDescriptorLength,
+		});
 	}
 
 	if (!shouldBuffer) {
-		await zipHandler.tokenizer.ignore(zipHeader.compressedSize);
+		await safeIgnore(zipHandler.tokenizer, zipHeader.compressedSize, {
+			maximumLength: hasUnknownFileSize(zipHandler.tokenizer) ? maximumZipEntrySizeInBytes : zipHandler.tokenizer.fileInfo.size,
+			reason: 'ZIP entry compressed data',
+		});
 		return;
 	}
 
@@ -244,7 +270,13 @@ ZipHandler.prototype.inflate = async function (zipHeader, fileData, callback) {
 ZipHandler.prototype.unzip = async function (fileCallback) {
 	let stop = false;
 	let zipEntryCount = 0;
+	const zipScanStart = this.tokenizer.position;
+	this.knownSizeDescriptorScannedBytes = 0;
 	do {
+		if (hasExceededUnknownSizeScanBudget(this.tokenizer, zipScanStart, maximumUntrustedSkipSizeInBytes)) {
+			throw new ParserHardLimitError(`ZIP stream probing exceeds ${maximumUntrustedSkipSizeInBytes} bytes`);
+		}
+
 		const zipHeader = await this.readLocalFileHeader();
 		if (!zipHeader) {
 			break;
@@ -260,6 +292,7 @@ ZipHandler.prototype.unzip = async function (fileCallback) {
 		await this.tokenizer.ignore(zipHeader.extraFieldLength);
 		const fileData = await readZipEntryData(this, zipHeader, {
 			shouldBuffer: Boolean(next.handler),
+			maximumDescriptorLength: Math.min(maximumZipEntrySizeInBytes, getRemainingZipScanBudget(this, zipScanStart)),
 		});
 
 		if (next.handler) {
@@ -273,6 +306,10 @@ ZipHandler.prototype.unzip = async function (fileCallback) {
 				throw new Error(`Expected data-descriptor-signature at position ${this.tokenizer.position - dataDescriptor.length}`);
 			}
 		}
+
+		if (hasExceededUnknownSizeScanBudget(this.tokenizer, zipScanStart, maximumUntrustedSkipSizeInBytes)) {
+			throw new ParserHardLimitError(`ZIP stream probing exceeds ${maximumUntrustedSkipSizeInBytes} bytes`);
+		}
 	} while (!stop);
 };
 
@@ -1001,7 +1038,10 @@ export class FileTypeParser {
 				// Keep ID3 probing bounded for unknown-size streams to avoid attacker-controlled large skips.
 				|| (
 					isUnknownFileSize
-					&& id3HeaderLength > maximumId3HeaderSizeInBytes
+					&& (
+						id3HeaderLength > maximumId3HeaderSizeInBytes
+						|| (tokenizer.position + id3HeaderLength) > maximumId3HeaderSizeInBytes
+					)
 				)
 			) {
 				return;
@@ -1454,6 +1494,10 @@ export class FileTypeParser {
 						return;
 					}
 
+					if (hasExceededUnknownSizeScanBudget(tokenizer, ebmlScanStart, maximumUntrustedSkipSizeInBytes)) {
+						return;
+					}
+
 					const previousPosition = tokenizer.position;
 					const element = await readElement();
 
@@ -1493,6 +1537,7 @@ export class FileTypeParser {
 			}
 
 			const rootElement = await readElement();
+			const ebmlScanStart = tokenizer.position;
 			const documentType = await readChildren(rootElement.len);
 
 			switch (documentType) {
@@ -1875,13 +1920,14 @@ export class FileTypeParser {
 			const isUnknownPngStream = hasUnknownFileSize(tokenizer);
 			const pngScanStart = tokenizer.position;
 			let pngChunkCount = 0;
+			let hasSeenImageHeader = false;
 			do {
 				pngChunkCount++;
 				if (pngChunkCount > maximumPngChunkCount) {
 					break;
 				}
 
-				if (hasExceededUnknownSizeScanBudget(tokenizer, pngScanStart, maximumPngChunkSizeInBytes)) {
+				if (hasExceededUnknownSizeScanBudget(tokenizer, pngScanStart, maximumPngStreamScanBudgetInBytes)) {
 					break;
 				}
 
@@ -1891,18 +1937,34 @@ export class FileTypeParser {
 					return; // Invalid chunk length
 				}
 
+				if (chunk.type === 'IHDR') {
+					// PNG requires the first real image header to be a 13-byte IHDR chunk.
+					if (chunk.length !== 13) {
+						return;
+					}
+
+					hasSeenImageHeader = true;
+				}
+
 				switch (chunk.type) {
 					case 'IDAT':
 						return pngFileType;
 					case 'acTL':
 						return apngFileType;
 					default:
+						if (
+							!hasSeenImageHeader
+							&& chunk.type !== 'CgBI'
+						) {
+							return;
+						}
+
 						if (
 							isUnknownPngStream
 								&& chunk.length > maximumPngChunkSizeInBytes
 						) {
 							// Avoid huge attacker-controlled skips when probing unknown-size streams.
-							return;
+							return hasSeenImageHeader && isPngAncillaryChunk(chunk.type) ? pngFileType : undefined;
 						}
 
 						try {
@@ -2158,8 +2220,16 @@ export class FileTypeParser {
 						break;
 					}
 
+					if (
+						isUnknownFileSize
+						&& payload > maximumAsfHeaderPayloadSizeInBytes
+					) {
+						isMalformedAsf = true;
+						break;
+					}
+
 					await safeIgnore(tokenizer, payload, {
-						maximumLength: isUnknownFileSize ? maximumUntrustedSkipSizeInBytes : tokenizer.fileInfo.size,
+						maximumLength: isUnknownFileSize ? maximumAsfHeaderPayloadSizeInBytes : tokenizer.fileInfo.size,
 						reason: 'ASF header payload',
 					});
 
@@ -2625,6 +2695,13 @@ export class FileTypeParser {
 				}
 			}
 
+			if (
+				hasUnknownFileSize(this.tokenizer)
+				&& ifdOffset > maximumTiffStreamIfdOffsetInBytes
+			) {
+				return tiffFileType;
+			}
+
 			const maximumTiffOffset = hasUnknownFileSize(this.tokenizer) ? maximumTiffIfdOffsetInBytes : this.tokenizer.fileInfo.size;
 
 			try {

package/index.js

@@ -4,6 +4,8 @@ Node.js specific entry point.
 
 import {ReadableStream as WebReadableStream} from 'node:stream/web';
 import {pipeline, PassThrough, Readable} from 'node:stream';
+import fs from 'node:fs/promises';
+import {constants as fileSystemConstants} from 'node:fs';
 import * as strtok3 from 'strtok3';
 import {
 	FileTypeParser as DefaultFileTypeParser,
@@ -42,7 +44,21 @@ export class FileTypeParser extends DefaultFileTypeParser {
 	}
 
 	async fromFile(path) {
-		const tokenizer = await strtok3.fromFile(path);
+		// TODO: Remove this when `strtok3.fromFile()` safely rejects non-regular filesystem objects without a pathname race.
+		const fileHandle = await fs.open(path, fileSystemConstants.O_RDONLY | fileSystemConstants.O_NONBLOCK);
+		const fileStat = await fileHandle.stat();
+		if (!fileStat.isFile()) {
+			await fileHandle.close();
+			return;
+		}
+
+		const tokenizer = new strtok3.FileTokenizer(fileHandle, {
+			...this.getTokenizerOptions(),
+			fileInfo: {
+				path,
+				size: fileStat.size,
+			},
+		});
 		try {
 			return await super.fromTokenizer(tokenizer);
 		} finally {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "file-type",
-	"version": "21.3.2",
+	"version": "21.3.3",
 	"description": "Detect the file type of a file, stream, or data",
 	"license": "MIT",
 	"repository": "sindresorhus/file-type",

package/readme.md

@@ -10,6 +10,9 @@ This package is for detecting binary-based file formats, not text-based formats
 
 We accept contributions for commonly used modern file formats, not historical or obscure ones. Open an issue first for discussion.
 
+> [!IMPORTANT]
+> NO SECURITY REPORTS WILL BE ACCEPTED RIGHT NOW. I'm currently hardening the parser and all the low-quality AI-generated security reports is just a huge waste of time.
+
 ## Install
 
 ```sh