Skip to content

fix: add MIME type magic byte validation to prevent spoofed file uploads (#137)#1519

Open
sachin-mahato25 wants to merge 1 commit into
magic-peach:mainfrom
sachin-mahato25:main
Open

fix: add MIME type magic byte validation to prevent spoofed file uploads (#137)#1519
sachin-mahato25 wants to merge 1 commit into
magic-peach:mainfrom
sachin-mahato25:main

Conversation

@sachin-mahato25
Copy link
Copy Markdown

@sachin-mahato25 sachin-mahato25 commented Jun 3, 2026

Closes #137

What changed

  • Added validateVideoMagicBytes() in src/utils/video-validation.ts that reads the first 12 bytes of the uploaded file and checks them against known video format magic byte signatures
  • Updated handleFile in src/components/FileUpload.tsx to be async and call the magic byte check before processing
  • Added try/catch so file read failures show a friendly error message
  • Validation runs before the file is passed to FFmpeg

Formats supported

  • MP4 / MOV — ftyp box at byte offset 4
  • WebM / MKV — EBML magic bytes 0x1A 0x45 0xDF 0xA3
  • AVI — RIFF header
  • OGG — OggS signature
  • FLV — FLV\x01 signature
  • MPEG-TS — sync byte 0x47
  • MPEG-PS — pack start code
  • 3GPP — ftyp3g at byte offset 4

Testing

  • Renamed a .txt file to .mp4 → correctly rejected with error message
  • Uploaded a real .mp4 video → loaded and processed normally

@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 3, 2026

@sachin-mahato25 is attempting to deploy a commit to the magic-peach1's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added level:intermediate Intermediate level - 35 pts type:bug Bug fix type:testing Testing labels Jun 3, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

✅ PR Format Check Passed — @sachin-mahato25

Basic format checks passed. A maintainer will review your code changes.

This does not mean the PR is approved — it just means the format is correct.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

👋 Thanks for your PR, @sachin-mahato25!

Welcome to Reframe — a browser-based video editor built for everyone 🎬

What happens next

  1. 🤖 Automated checks — build & TypeScript typecheck will run automatically
  2. Vercel preview — a preview deployment will be created (requires maintainer authorization for fork PRs)
  3. 👀 Code review — a maintainer will review your changes
  4. 🚀 Merge — once approved, your PR will be merged!

Quick checklist

  • PR title follows Conventional Commits (e.g. feat: add dark mode)
  • Linked the issue this PR closes (e.g. Closes #123)
  • Tested the changes locally (bun run dev)
  • Build passes (bun run build)

Useful links

Happy coding! 🎉

@sachin-mahato25
Copy link
Copy Markdown
Author

sachin-mahato25 commented Jun 3, 2026

Hey @magic-peach! I've worked on issue #137 and submitted a PR that adds magic byte validation to verify actual file headers instead of relying on extensions/MIME types. Tested with both fake and real video files. ✅

You can check it, verify and request for changes if needed.

@sachin-mahato25 sachin-mahato25 mentioned this pull request Jun 5, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

level:intermediate Intermediate level - 35 pts type:bug Bug fix type:testing Testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Add MIME type validation beyond file extension checking

1 participant

@sachin-mahato25