Skip to content

Harden file signature validation and improve security logging#51

Merged
Krosebrook merged 5 commits intosentinel-fix-file-upload-bypass-2628575097628889752from
copilot/sub-pr-48
Feb 16, 2026
Merged

Harden file signature validation and improve security logging#51
Krosebrook merged 5 commits intosentinel-fix-file-upload-bypass-2628575097628889752from
copilot/sub-pr-48

Conversation

Copy link
Contributor

Copilot AI commented Feb 14, 2026
edited by cubic-dev-ai bot
Loading

Addresses code review feedback on PR #48's file upload validation security fix. The original implementation had validation gaps and lacked security monitoring.

Changes

File signature validation

  • Expand MP3 detection to include MPEG-1 (FF FA), MPEG-2.5 (FF E3/E2) sync frames beyond the original MPEG-2 patterns
  • Fix M4A validation bypass by checking major brand at bytes 8-11 and rejecting generic MP4 containers (isom, mp41, mp42)
  • Narrow AAC ADTS detection to FF F1/F9 only to avoid false positives with MP3 sync frames

Security monitoring

  • Log validation failures with sanitized request metadata (userId, fileSize, mimeType, originalName) for incident response
  • Enhance sanitizeLog utility to strip newlines from all strings, preventing log injection attacks across the codebase

Code quality

  • Remove branded comment prefixes per style guide
  • Add test coverage for all new validation patterns and edge cases (18 total signature tests)
// Before: Accepts any ftyp container
if (header[4] === 0x66 && header[5] === 0x74 && header[6] === 0x79 && header[7] === 0x70) {
  return true;  // MP4 videos pass!
}

// After: Validates audio-specific brands
if (header[4] === 0x66 && header[5] === 0x74 && header[6] === 0x79 && header[7] === 0x70) {
  const majorBrand = header.toString("ascii", 8, 12);
  const allowedM4ABrands = new Set(["M4A ", "M4B ", "M4P "]);
  return allowedM4ABrands.has(majorBrand);
}

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by cubic

Fixes a file upload validation bypass with stricter magic‑byte checks and safe, sanitized logging. Expands audio signature validation and adds tests for newline stripping and new formats.

  • Bug Fixes
    • Harden audio signature checks: broaden MP3 sync frames, tighten AAC ADTS (FF F1/F9), allow only M4A/M4B/M4P, reject MP4 "isom".
    • Block bad uploads: reject type mismatches, double extensions, oversized files; sanitize filenames and strip paths.
    • Centralize safe logging with sanitizeLog (removes CR/LF); log signature failures with sanitized user/file details; expand tests for new signatures and log injection.

Written for commit a7143da. Summary will update on new commits.

Copilot AI mentioned this pull request Feb 14, 2026
Open
Copilot AI and others added 3 commits February 14, 2026 23:34
@Krosebrook
Address code review feedback on file signature validation
d2cbc53 
Co-authored-by: Krosebrook <214532761+Krosebrook@users.noreply.github.com>
@Krosebrook
Add log injection prevention for file name logging
bb039eb 
Co-authored-by: Krosebrook <214532761+Krosebrook@users.noreply.github.com>
@Krosebrook
Refactor log injection prevention into sanitizeLog utility
fd8a22c 
Co-authored-by: Krosebrook <214532761+Krosebrook@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix file upload validation bypass vulnerability Harden file signature validation and improve security logging Feb 14, 2026
Copilot AI requested a review from Krosebrook February 14, 2026 23:37
@Krosebrook Krosebrook marked this pull request as ready for review February 16, 2026 12:55
Copilot AI review requested due to automatic review settings February 16, 2026 12:55
@Krosebrook Krosebrook merged commit 0b53a50 into sentinel-fix-file-upload-bypass-2628575097628889752 Feb 16, 2026
@Krosebrook Krosebrook deleted the copilot/sub-pr-48 branch February 16, 2026 12:55
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 16, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens file upload security by improving audio file signature validation and adding security logging for validation failures. It addresses feedback from PR #48 by closing validation gaps that could allow malicious files to bypass MIME-type checks.

Changes:

  • Expands MP3 detection to cover MPEG-1 (FF FA), MPEG-2 (FF F2), and MPEG-2.5 (FF E2, FF E3) sync frames beyond the original MPEG-2 patterns
  • Fixes M4A validation bypass by checking the major brand field (bytes 8-11) and rejecting generic MP4 container brands (isom, mp41, mp42) while accepting only audio-specific brands (M4A, M4B, M4P)
  • Enhances sanitizeLog utility to strip newlines from all string values, preventing log injection attacks across the codebase
  • Adds security logging for file signature validation failures with sanitized metadata (userId, fileSize, mimeType, originalName) for incident response

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
server/utils.ts Adds newline stripping to sanitizeLog to prevent log injection attacks
server/utils.test.ts Adds test coverage for log injection prevention and new audio signature patterns (MP3 variants, M4A brands, MP4 rejection)
server/routes.ts Imports sanitizeLog and logs validation failures with sanitized request metadata for security monitoring

server/utils.test.ts
Comment on lines +123 to +127
{
name: "Valid M4B (ftyp)",
input: Buffer.from([0x00, 0x00, 0x00, 0x1C, 0x66, 0x74, 0x79, 0x70, 0x4D, 0x34, 0x42, 0x20]),
expected: true,
},
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two nearly identical test cases for M4B format. The test at lines 119-122 is named "Valid M4A (M4B brand)" (existing test) and the newly added test at lines 124-126 is named "Valid M4B (ftyp)". Both test the M4B brand with the same signature pattern, differing only in the box size prefix (0x20 vs 0x1C). Consider consolidating these into a single test case or clarifying the distinction in the test names if the different box sizes represent distinct test scenarios.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Krosebrook Krosebrook Awaiting requested review from Krosebrook

Assignees

Copilot code review Copilot

@Krosebrook Krosebrook

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Krosebrook