knee-cola/evidencija-rezija
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add core security utilities for checksum-based share links

Browse Source 
- Add HMAC-SHA256 checksum generation and validation (shareChecksum.ts)
- Add PDF magic bytes validation to prevent file spoofing (pdfValidator.ts)
- Add IP-based rate limiting for upload abuse prevention (uploadRateLimiter.ts)
- Update BillingLocation interface with shareTTL and shareFirstVisitedAt fields
- Add environment variables for share link security and TTL configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Knee Cola
2025-12-08 00:14:20 +01:00
parent 4a5195c938
commit a6ab35a959
5 changed files with 185 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
app/lib/validators/pdfValidator.ts Normal file
View File

@@ -0,0 +1,46 @@
/**
* Validate that uploaded file is a legitimate PDF
* Checks magic bytes, not just MIME type
*/
export async function validatePdfFile(file: File): Promise<{ valid: boolean; error?: string }> {
// Check file size first (quick rejection)
const maxFileSizeKB = parseInt(process.env.MAX_PROOF_OF_PAYMENT_UPLOAD_SIZE_KB || '1024', 10);
const maxFileSizeBytes = maxFileSizeKB * 1024;
if (file.size === 0) {
return { valid: false, error: 'File is empty' };
}
if (file.size > maxFileSizeBytes) {
return { valid: false, error: `File size exceeds ${maxFileSizeKB} KB limit` };
}
// Read file content
const arrayBuffer = await file.arrayBuffer();
const buffer = Buffer.from(arrayBuffer);
// Check PDF magic bytes (header signature)
// PDF files must start with "%PDF-" (bytes: 25 50 44 46 2D)
const header = buffer.toString('utf-8', 0, 5);
if (!header.startsWith('%PDF-')) {
return { valid: false, error: 'Invalid PDF file format' };
}
// Optional: Check for PDF version (1.0 to 2.0)
const version = buffer.toString('utf-8', 5, 8); // e.g., "1.4", "1.7", "2.0"
const versionMatch = version.match(/^(\d+\.\d+)/);
if (!versionMatch) {
return { valid: false, error: 'Invalid PDF version' };
}
// Optional: Verify PDF EOF marker (should end with %%EOF)
// Note: Some PDFs have trailing data, so this is lenient
const endSection = buffer.toString('utf-8', Math.max(0, buffer.length - 1024));
if (!endSection.includes('%%EOF')) {
console.warn('PDF missing EOF marker - may be corrupted');
// Don't reject, just warn (some valid PDFs have non-standard endings)
}
return { valid: true };
}