Skip to content

Feature/secure file upload#2184

Open
AdityaPaneru wants to merge 2 commits into
brocoders:mainfrom
AdityaPaneru:feature/secure-file-upload
Open

Feature/secure file upload#2184
AdityaPaneru wants to merge 2 commits into
brocoders:mainfrom
AdityaPaneru:feature/secure-file-upload

Conversation

@AdityaPaneru

@AdityaPaneru AdityaPaneru commented May 11, 2026

Copy link
Copy Markdown

Summary

Adds file upload security scanning using pompelmi + ClamAV before any
file is written to disk or committed to the database.

Closes #2169

Changes

New files

  • src/files/infrastructure/uploader/scan/file-scan.service.ts — shared FileScanService using pompelmi scanBuffer with ClamAV

Modified files

  • src/files/infrastructure/uploader/local/files.module.ts — switched to memoryStorage, added FileScanService to providers
  • src/files/infrastructure/uploader/local/files.service.ts — scans buffer before writing to disk, only writes to disk if scan passes
  • src/files/infrastructure/uploader/s3-presigned/files.module.ts — switched to memoryStorage, added FileScanService to providers
  • src/files/infrastructure/uploader/s3-presigned/files.service.tscreate() now points presigned URL to quarantine bucket, added confirmUpload() which scans and promotes to production bucket
  • src/files/infrastructure/uploader/s3-presigned/files.controller.ts — added POST /files/confirm endpoint
  • src/files/infrastructure/uploader/s3-presigned/dto/file-confirm.dto.ts — new DTO for confirm endpoint
  • docs/file-uploading.md — added scanning documentation with mermaid flow diagrams
  • env-example-relational — added AWS_DEFAULT_S3_BUCKET_QUARANTINE, CLAMAV_HOST, CLAMAV_PORT

How it works

Local driver

  1. File lands in memory via multer memoryStorage
  2. Buffer is scanned via ClamAV
  3. If clean: written to disk and DB record saved
  4. If malicious or scan error: 422 returned, nothing touches disk

S3 presigned driver

  1. POST /files/upload returns presigned URL pointing to quarantine bucket
  2. Client uploads directly to quarantine bucket
  3. POST /files/confirm downloads from quarantine and scans the buffer
  4. If clean: promoted to production bucket, DB record saved
  5. If malicious or scan error: deleted from quarantine, 422 returned

What it catches

  • Malware and virus signatures via ClamAV
  • Fails closed — upload rejected if ClamAV is unreachable

Prerequisites

ClamAV must be running:

docker run -d --name clamav -p 3310:3310 clamav/clamav:stable

Testing

  • yarn build passes with 0 errors
  • yarn lint passes with 0 errors

@AdityaPaneru AdityaPaneru mentioned this pull request May 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

File upload security: no content scanning before storage (MIME spoofing, ZIP bombs, macros)

1 participant

@AdityaPaneru