File upload security: no content scanning before storage (MIME spoofing, ZIP bombs, macros)

[SonoTommy]

File upload security: no content scanning before storage

Context

This boilerplate ships with a well-structured file upload module supporting local and S3 drivers, including s3-presigned for production. The architecture is correct — the problem is that no step inspects file content before the record is committed to the database.

This means a client can upload:

• A file with a spoofed MIME type or extension (e.g. a script disguised as avatar.jpg)
• A ZIP bomb that expands to exhaust resources when later extracted or processed
• An Office file with embedded macros, or a PDF with embedded JavaScript actions
• A polyglot file that is valid in multiple formats simultaneously

These bypass the current size and extension checks entirely, because they operate at the byte-content level — not at the filename or client-reported MIME level.

Natural integration point

For the local driver: scan req.file.buffer (already in memory via multer) before writing to disk.

For the s3-presigned driver: scan after the client uploads to the quarantine bucket and before promoting to the production bucket and saving the DB record.

Suggested tool

pompelmi is an MIT-licensed, in-process Node.js scanner with a dedicated NestJS integration package (@pompelmi/nestjs-integration, already listed in awesome-nestjs). Zero external API calls — files never leave the process.

Minimal NestJS guard using the existing module structure:

import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';

// Inside your FilesService, before saving:
const report = await scanBytes(file.buffer, {
  filename: file.originalname,
  mimeType: file.mimetype,
  policy: STRICT_PUBLIC_UPLOAD,
  failClosed: true,
});

if (report.verdict !== 'clean') {
  throw new UnprocessableEntityException({
    status: HttpStatus.UNPROCESSABLE_ENTITY,
    errors: { file: `blocked: ${report.reasons.join(', ')}` },
  });
}

Proposed changes

1. Add a scan step inside FilesLocalService and FilesS3PresignedService before committing to storage
2. Add pompelmi to the docs under file-uploading.md as the recommended scanning approach
3. Optionally: expose scan policy as a config option so teams can tune sensitivity

Happy to submit a PR — let me know which scope works best.

---

References

• pompelmi NestJS integration: https://github.com/pompelmi/pompelmi/tree/main/packages/nestjs
• awesome-nestjs listing: https://github.com/nestjs/awesome-nestjs
• pompelmi repo: https://github.com/pompelmi/pompelmi
• Coverage: Node Weekly Nest API service not able to connect Postgres using docker compose #594, Help Net Security, Stack Overflow Blog
• License: MIT

[AdityaPaneru]

Hi @SonoTommy, I’m really impressed by the secure-by-default direction for this boilerplate. File upload security is often overlooked, and the pompelmi with memoryStorage setup feels like a smart and streamlined solution.

I specialize in backend systems and security, and I’d be excited to contribute this implementation. I can ensure the routes, tests, and documentation align seamlessly with the existing project standards.

Would you be comfortable with me working on this?

[SonoTommy]

Hi @AdityaPaneru , thanks for the interest!
Quick note on pompelmi's scope before you start: it's intentionally a minimal wrapper — it spawns clamscan locally or connects to a remote clamd via TCP and returns a typed Verdict Symbol (Verdict.Clean, Verdict.Malicious, Verdict.ScanError). No daemon management, no config objects, no cloud dependency. ClamAV must be installed on the host.
For the boilerplate context this means the implementation should:

Use multer's memoryStorage() so the file never touches disk before scanning
Write the buffer to a temp file, scan it, then delete it (or use the host/port option if clamd is running as a sidecar)
Handle all three Verdict cases explicitly — including ScanError as a reject-by-default

The PR scope you outlined looks right. One suggestion: keep ClamAV installation as a documented prerequisite in the README rather than trying to automate it — that keeps the boilerplate lean.
Happy to review whenever you're ready. Feel free to ping me if anything in the pompelmi API is unclear.

please read docs from https://pompelmi.app and from https://github.com/pompelmi/pompelmi

[AdityaPaneru]

Hi @SonoTommy, thanks for the detailed clarification — that really cleared things up. I’ll follow the approach you outlined and start working on the implementation. I’ll share the PR soon.

[AdityaPaneru]

Hi @SonoTommy, I've submitted a PR implementing the file upload security scanning you proposed.

Here's what's covered:

• Created FileScanService using pompelmi + ClamAV (scanBuffer)
• Local driver: switched to memoryStorage, scans buffer before writing to disk
• S3 presigned driver: quarantine bucket pattern — client uploads to quarantine,
  POST /files/confirm downloads, scans, and promotes to production bucket
• Added POST /files/confirm endpoint for the S3 presigned confirm step
• Updated docs/file-uploading.md with setup instructions and flow diagrams

PR: #2184

Happy to make any changes based on your feedback!