🛡️ Sentinel: [HIGH] Fix unvalidated file uploads in presigned URL generation#146
🛡️ Sentinel: [HIGH] Fix unvalidated file uploads in presigned URL generation#146xb1g wants to merge 1 commit into
Conversation
…eration - Updated `app/api/upload/presigned/route.ts` to use centralized `validateFile` logic. - Applied `ALLOWED_GENERAL_TYPES` and `MAX_GENERAL_SIZE` constants to restrict file extensions and MIME types. - Fixed vulnerability allowing arbitrary and dangerous file uploads to bypass client-side checks and receive valid storage presigned URLs. - Documented findings in `.jules/sentinel.md`. Co-authored-by: xb1g <70068561+xb1g@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
xb1g
force-pushed
the
sentinel/fix-presigned-url-validation-7436328136503941214
branch
from
6ded27a to
3cb183f
Compare
|
Unable to deploy a commit from a private repository on your GitHub organization to the wachaa1319's projects team on Vercel, which is currently on the Hobby plan. In order to deploy, you can:
To read more about collaboration on Vercel, click here. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the app/api/upload/presigned endpoint by switching from ad-hoc size checks to the shared upload validation utilities, reducing the risk of issuing presigned URLs for disallowed uploads.
Changes:
- Replaced the presigned URL route’s manual file-size-only validation with centralized
validateFile(...)checks. - Standardized allowed MIME types / size limits by importing shared upload constants.
- Updated the Sentinel security journal entry to record the vulnerability and prevention guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| app/api/upload/presigned/route.ts | Applies shared upload validation before issuing Backblaze B2 presigned upload URLs. |
| .jules/sentinel.md | Records the vulnerability context and recommended prevention approach. |
| const validation = validateFile( | ||
| fileName, | ||
| fileSize, | ||
| fileType, | ||
| ALLOWED_GENERAL_TYPES, | ||
| MAX_GENERAL_SIZE | ||
| ); |
| const validation = validateFile( | ||
| fileName, | ||
| fileSize, | ||
| fileType, | ||
| ALLOWED_GENERAL_TYPES, | ||
| MAX_GENERAL_SIZE | ||
| ); | ||
|
|
||
| if (!validation.valid) { | ||
| return NextResponse.json({ error: validation.error }, { status: 400 }); | ||
| } |
| **Vulnerability:** The presigned URL generation endpoint (`app/api/upload/presigned/route.ts`) checks file size manually, but bypasses the central `validateFile` function. It does not validate `fileName` extensions against `DANGEROUS_EXTENSIONS` or `fileType` against allowed mime types. This can allow users to request signed URLs to upload arbitrary and dangerous file types (like `.exe` or `.html`) directly to the storage bucket, bypassing client-side checks. | ||
| **Learning:** Even when delegating the actual upload to a third-party service via presigned URLs, the endpoint generating the URL must still perform strict validation on the proposed file metadata (name and type), as attackers can trivially bypass client-side checks to request a signature for a malicious payload. | ||
| **Prevention:** Always use centralized validation utilities (like `validateFile` from `lib/constants/upload.ts`) on all file upload paths, whether handling the stream directly or issuing a presigned URL. |
xb1g
force-pushed
the
sentinel/fix-presigned-url-validation-7436328136503941214
branch
from
3cb183f to
91a5963
Compare
xb1g
force-pushed
the
sentinel/fix-presigned-url-validation-7436328136503941214
branch
from
91a5963 to
dcb22e7
Compare
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
web | dcb22e7 | May 11 2026, 06:23 PM |
🚨 Severity: HIGH
💡 Vulnerability: The
/api/upload/presignedendpoint responsible for generating storage upload URLs manually validated only file size, omitting critical file extension and MIME type validation. Attackers could bypass client constraints to request valid signatures to upload executables or arbitrary payloads directly to the storage bucket.🎯 Impact: Risk of distributing malware, hosting executable content, and bypassing platform usage guidelines.
🔧 Fix: Imported
validateFilefrom@/lib/constants/uploadand enforced standardized MIME type checks and theDANGEROUS_EXTENSIONSdeny list before issuing presigned URLs.✅ Verification: Verified fix through local linting, testing suite (
pnpm test), and codebase static checks. Journaled critical learning in.jules/sentinel.md.PR created automatically by Jules for task 7436328136503941214 started by @xb1g