feat: ACN Application Security Standard V7.30 compliance (19/23 items)
CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
/**
|
||||
* Validates that the actual bytes of a base64-encoded image match its declared MIME type.
|
||||
* This prevents attackers from uploading malicious files with a spoofed extension/MIME.
|
||||
*/
|
||||
|
||||
interface MagicSignature {
|
||||
mimeType: string;
|
||||
bytes: number[];
|
||||
}
|
||||
|
||||
const SIGNATURES: MagicSignature[] = [
|
||||
{ mimeType: "image/png", bytes: [0x89, 0x50, 0x4e, 0x47] }, // .PNG
|
||||
{ mimeType: "image/jpeg", bytes: [0xff, 0xd8, 0xff] },
|
||||
{ mimeType: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46] }, // RIFF (WebP starts with RIFF....WEBP)
|
||||
{ mimeType: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38] }, // GIF8
|
||||
{ mimeType: "image/bmp", bytes: [0x42, 0x4d] }, // BM
|
||||
{ mimeType: "image/tiff", bytes: [0x49, 0x49, 0x2a, 0x00] }, // Little-endian TIFF
|
||||
{ mimeType: "image/tiff", bytes: [0x4d, 0x4d, 0x00, 0x2a] }, // Big-endian TIFF
|
||||
];
|
||||
|
||||
/**
|
||||
* Detects the actual MIME type of a binary buffer by checking magic bytes.
|
||||
* Returns null if no known image signature matches.
|
||||
*/
|
||||
export function detectImageMime(buffer: Uint8Array): string | null {
|
||||
for (const sig of SIGNATURES) {
|
||||
if (buffer.length >= sig.bytes.length && sig.bytes.every((b, i) => buffer[i] === b)) {
|
||||
// Extra check for WebP: bytes 8-11 must be "WEBP"
|
||||
if (sig.mimeType === "image/webp") {
|
||||
if (buffer.length < 12) continue;
|
||||
const webpTag = String.fromCharCode(buffer[8]!, buffer[9]!, buffer[10]!, buffer[11]!);
|
||||
if (webpTag !== "WEBP") continue;
|
||||
}
|
||||
return sig.mimeType;
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates a data URL by comparing its declared MIME type against the actual magic bytes.
|
||||
* Returns { valid: true } or { valid: false, reason: string }.
|
||||
*/
|
||||
export function validateImageDataUrl(dataUrl: string): { valid: true } | { valid: false; reason: string } {
|
||||
// Parse the data URL
|
||||
const match = dataUrl.match(/^data:(image\/[a-z+]+);base64,(.+)$/i);
|
||||
if (!match) {
|
||||
return { valid: false, reason: "Not a valid base64 image data URL." };
|
||||
}
|
||||
|
||||
const declaredMime = match[1]!.toLowerCase();
|
||||
const base64 = match[2]!;
|
||||
|
||||
// Decode at least the first 16 bytes for signature checking
|
||||
let buffer: Uint8Array;
|
||||
try {
|
||||
const chunk = base64.slice(0, 24); // 24 base64 chars = 18 bytes, more than enough
|
||||
buffer = Uint8Array.from(atob(chunk), (c) => c.charCodeAt(0));
|
||||
} catch {
|
||||
return { valid: false, reason: "Invalid base64 encoding." };
|
||||
}
|
||||
|
||||
const actualMime = detectImageMime(buffer);
|
||||
if (!actualMime) {
|
||||
return { valid: false, reason: "File content does not match any known image format." };
|
||||
}
|
||||
|
||||
// Allow JPEG variants (image/jpeg matches image/jpg header)
|
||||
const normalize = (m: string) => m.replace("image/jpg", "image/jpeg");
|
||||
if (normalize(declaredMime) !== normalize(actualMime)) {
|
||||
return {
|
||||
valid: false,
|
||||
reason: `MIME type mismatch: declared "${declaredMime}" but actual content is "${actualMime}".`,
|
||||
};
|
||||
}
|
||||
|
||||
return { valid: true };
|
||||
}
|
||||
Reference in New Issue
Block a user