AddFileTypeValidator doesn't work correctly #14970
Comments
NirZamirGuardz
changed the title
|
@Chathula I think an unintended breaking change was added when you made I used to do custom validators using Now since the method is async, it will break a lot of custom validators. |
I will consider this as well |
|
Just wondering, how come this (kinda serious) breaking change wasn't intercepted by CI/tests ? |
|
we just updated as well - and are getting similar issues where a previously working file upload is now failing. suspect that it may be because the propose: adding file-type as a dependency or |
|
One of the dependencies in the file-type package has an issue detecting a PNG file buffer and throws an error. I have already created tickets on that. strtok3: Borewit/strtok3#1224 |
Making this function synchronous will not be easy as we are using the Then we have to use a package like this, or we have to implement our own helper to detect the file type based on the buffer. I used this package earlier https://github.com/nir11/file-type-checker. But @kamilmysliwiec mentioned that it doesn't have enough popularity to use it. |
|
For now, you can use below const fileTypeValidator = new FileTypeValidator({
fileType: 'image/jpeg',
skipMagicNumbersValidation: true,
}); |
|
mmmm thats unfortunate that PNG's dont work - its one of our primary use-cases (to allow image uploads, but not malicious files) we'd be willing to use |
I assume you try to load the file-type, which is an ESM module, in a TypeScript CommonJS project. Then you run into the issue, the TypeScript compiler converts the dynamic import, which you need to load the ESM module, to Better to use load-esm to load the ESM module, rather then More detailed explenation: https://stackoverflow.com/a/79265806/28701779
PNG detection certainly works in file-type, but you need to provide a bigger sample (not the first 8 bytes). For the best results, better to provide the actual file. |
Thanks for update. it worked fine with bigger buffer like this const pngBuffer = Buffer.from([
0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0x0a, 0x00, 0x0d, 0x4a,
0x46, 0x49, 0x46, 0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4e, 0x44, 0xae,
0x42, 0x60, 0x82, 0x00, 0x00, 0x00, 0x00, 0x43, 0x52, 0x49, 0x43, 0x41,
]); |
|
Fixed in v11.0.19 (v11 users) and v10.4.17 (v10 users) (file-type added as a required dependency) |
|
The reason it does need more then 8 bytes (as 8 bytes is indeed the PNG magic file signature), is that it will read deeper into the PNG to determine it is a Animated PNG, a subtype of the PNG file.. |
How can we support the people who use this package now without |
|
I did create a PR replacing the
There are 2 async portions involved:
Loading an ESM module via a dynamic import is an
I am not aware of any other workaround.
The reason it has to be async, is because the file-type supports different ways of reading from a "file", For example a file stream. And because that read can be async, the abstract logic has to be defined as So sorry for that. |
|
Hei, thanks for your support. I may need some help, I have upgraded to v11.0.20, and it is still failing for me: new FileTypeValidator({
fileType:
/^(text\/(plain|csv|comma-separated-values|xml))|(application\/vnd.(ms-excel|openxmlformats-officedocument.spreadsheetml.sheet))|(application\/zip|application\/octet-stream|multipart\/x-zip|application\/zip-compressed|application\/x-zip-compressed|application\/x-zip)|(application\/pdf)$/,
}),where the file is: {
fieldname: 'file',
originalname: 'file.csv',
encoding: '7bit',
mimetype: 'text/csv',
buffer: <Buffer ...>,
size: 2281
}using anything else I can do? |
CSV is a text-based format. So you have to skip the magic numbers validation. |
thanks. got the point 🙏 |
|
You can extend file-type detection, in addition to the default binary formats, with most common XML formats, using the @file-type/xml plugin . For CSV there is to my knowledge no implementation. This is no coincidence as it is very tricky to reliably detect a CSV from its file content. |
Perfect. Checking the mime type is enough for me. But I had a breaking change after upgrading to the latest version. And justă wanted to double confirm that’s the only way of doing it, with skipMagicNumbersValidation. Thanks |
|
I tried upgrading to the latest version ( if (!isFileValid || !file.buffer) return false;the reason being Now, In fact, as it turned out, in the Nest controller I had the @UseInterceptors(FileInterceptor('file', { dest: './uploads' }))Considering that In addition, I think failure of asserting the expectation that the multer-file was already read into a buffer should make |
Uh oh!
There was an error while loading. Please reload this page.
Is there an existing issue for this?
Current behavior
We had this in production for a while, and it worked well until a few hours ago
.addFileTypeValidator({ fileType: /jpeg|png/, })We are getting the following error:
"Validation failed (current file type is image/png, expected type is /jpeg|png/)"
Then we tried setting the meme type explicitly with a string instead of a regex
.addFileTypeValidator({ fileType: 'image/png', })And got the following error:
"Validation failed (current file type is image/png, expected type is image/png)"
And at last, we tried the same as in the example in the docs
new ParseFilePipeBuilder() .addFileTypeValidator({ fileType: 'png', })"Validation failed (current file type is image/png, expected type is png)"
Minimum reproduction code
empty
Steps to reproduce
We haven't done anything special, and we noticed it when several tests failed and blocked the pipe.
Expected behavior
To work correctly as it worked in the past
In the past, the following worked
.addFileTypeValidator({ fileType: /jpeg|png/, })Package
@nestjs/common@nestjs/core@nestjs/microservices@nestjs/platform-express@nestjs/platform-fastify@nestjs/platform-socket.io@nestjs/platform-ws@nestjs/testing@nestjs/websocketsOther package
No response
NestJS version
10.4.16
Packages versions
[System Information]
OS Version : macOS 24.3.0
NodeJS Version : v22.14.0
NPM Version : 10.9.2
[Nest CLI]
Nest CLI Version : 10.4.9
[Nest Platform Information]
platform-express version : 10.4.16
elasticsearch version : 10.0.2
schematics version : 10.2.3
passport version : 10.0.3
schedule version : 4.1.2
terminus version : 10.3.0
swagger version : 7.4.2
testing version : 10.4.16
bullmq version : 10.2.3
common version : 10.4.16
config version : 3.3.0
axios version : 3.1.3
core version : 10.4.16
jwt version : 10.2.0
cli version : 10.4.9
Node.js version
v22.14.0
In which operating systems have you tested?
Other
No response
The text was updated successfully, but these errors were encountered: