termbeam 1.2.9 → 1.2.10

package/README.md

@@ -128,7 +128,9 @@ Environment variables: `PORT`, `TERMBEAM_PASSWORD`, `TERMBEAM_CWD`, `TERMBEAM_LO
 
 TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. By default, the server binds to `127.0.0.1` (localhost only). Use `--lan` or `--host 0.0.0.0` to allow LAN access, or `--no-tunnel` to disable the tunnel.
 
-Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header. See the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/) for more.
+Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header.
+
+For the full threat model, safe usage guidance, and a quick safety checklist, see [SECURITY.md](SECURITY.md). For detailed security feature documentation, see the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/).
 
 ## Contributing
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.2.9",
+  "version": "1.2.10",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {

package/src/routes.js

@@ -9,6 +9,30 @@ const log = require('./logger');
 const PUBLIC_DIR = path.join(__dirname, '..', 'public');
 const uploadedFiles = new Map(); // id -> filepath
 
+const IMAGE_SIGNATURES = [
+  { type: 'image/png', bytes: [0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a] },
+  { type: 'image/jpeg', bytes: [0xff, 0xd8, 0xff] },
+  { type: 'image/gif', bytes: [0x47, 0x49, 0x46, 0x38] },
+  { type: 'image/webp', offset: 8, bytes: [0x57, 0x45, 0x42, 0x50] },
+  { type: 'image/bmp', bytes: [0x42, 0x4d] },
+];
+
+function validateMagicBytes(buffer, contentType) {
+  const sig = IMAGE_SIGNATURES.find((s) => s.type === contentType);
+  if (!sig) return true; // unknown type, skip validation
+  const offset = sig.offset || 0;
+  if (buffer.length < offset + sig.bytes.length) return false;
+  const match = sig.bytes.every((b, i) => buffer[offset + i] === b);
+  if (!match) return false;
+  // WebP requires RIFF header at offset 0
+  if (contentType === 'image/webp') {
+    const riff = [0x52, 0x49, 0x46, 0x46];
+    if (buffer.length < 4) return false;
+    return riff.every((b, i) => buffer[i] === b);
+  }
+  return true;
+}
+
 function setupRoutes(app, { auth, sessions, config, state }) {
   // Serve static files (manifest.json, sw.js, icons, etc.)
   app.use(express.static(PUBLIC_DIR, { index: false }));
@@ -204,6 +228,10 @@ function setupRoutes(app, { auth, sessions, config, state }) {
       if (!buffer.length) {
         return res.status(400).json({ error: 'No image data' });
       }
+      if (!validateMagicBytes(buffer, contentType)) {
+        log.warn(`Upload rejected: content-type "${contentType}" does not match file signature`);
+        return res.status(400).json({ error: 'File content does not match declared image type' });
+      }
       const ext =
         {
           'image/png': '.png',