nestjs · kamilmysliwiec · Apr 14, 2025 · Mar 31, 2025 · Mar 31, 2025 · Mar 31, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -66,6 +66,7 @@
     "express": "4.21.2",
     "fast-json-stringify": "6.0.0",
     "fast-safe-stringify": "2.1.1",
+    "file-type": "20.4.1",
     "iterare": "1.2.1",
     "object-hash": "3.0.0",
     "path-to-regexp": "3.3.0",
@@ -74,7 +75,7 @@
     "socket.io": "4.8.1",
     "tslib": "2.8.1",
     "uid": "2.0.2",
-    "uuid": "11.0.3"
+    "uuid": "11.1.0"
   },
   "devDependencies": {
     "@apollo/server": "4.11.2",

diff --git a/packages/common/package.json b/packages/common/package.json
@@ -25,6 +25,7 @@
   "peerDependencies": {
     "class-transformer": "*",
     "class-validator": "*",
+    "file-type": "^20.4.1",
     "reflect-metadata": "^0.1.12 || ^0.2.0",
     "rxjs": "^7.1.0"
   },

diff --git a/packages/common/pipes/file/file-type.validator.ts b/packages/common/pipes/file/file-type.validator.ts
@@ -3,14 +3,19 @@ import { IFile } from './interfaces';
 
 export type FileTypeValidatorOptions = {
   fileType: string | RegExp;
+
+  /**
+   * If `true`, the validator will skip the magic numbers validation.
+   * This can be useful when you can't identify some files as there are no common magic numbers available for some file types.
+   * @default false
+   */
+  skipMagicNumbersValidation?: boolean;
 };
 
 /**
- * Defines the built-in FileType File Validator. It validates incoming files mime-type
- * matching a string or a regular expression. Note that this validator uses a naive strategy
- * to check the mime-type and could be fooled if the client provided a file with renamed extension.
- * (for instance, renaming a 'malicious.bat' to 'malicious.jpeg'). To handle such security issues
- * with more reliability, consider checking against the file's [magic-numbers](https://en.wikipedia.org/wiki/Magic_number_%28programming%29)
+ * Defines the built-in FileTypeValidator. It validates incoming files by examining
+ * their magic numbers using the file-type package, providing more reliable file type validation
+ * than just checking the mimetype string.
  *
  * @see [File Validators](https://docs.nestjs.com/techniques/file-upload#validators)
  *
@@ -20,19 +25,42 @@ export class FileTypeValidator extends FileValidator<
   FileTypeValidatorOptions,
   IFile
 > {
-  buildErrorMessage(): string {
+  buildErrorMessage(file?: IFile): string {
+    if (file?.mimetype) {
+      return `Validation failed (current file type is ${file.mimetype}, expected type is ${this.validationOptions.fileType})`;
+    }
     return `Validation failed (expected type is ${this.validationOptions.fileType})`;
   }
 
-  isValid(file?: IFile): boolean {
+  async isValid(file?: IFile): Promise<boolean> {
     if (!this.validationOptions) {
       return true;
     }
 
-    return (
-      !!file &&
-      'mimetype' in file &&
-      !!file.mimetype.match(this.validationOptions.fileType)
-    );
+    const isFileValid = !!file && 'mimetype' in file;
+
+    if (this.validationOptions.skipMagicNumbersValidation) {
+      return (
+        isFileValid && !!file.mimetype.match(this.validationOptions.fileType)
+      );
+    }
+
+    if (!isFileValid || !file.buffer) {
+      return false;
+    }
+
+    try {
+      const { fileTypeFromBuffer } = (await eval(
+        'import ("file-type")',
+      )) as typeof import('file-type');
+
+      const fileType = await fileTypeFromBuffer(file.buffer);
+
+      return (
+        !!fileType && !!fileType.mime.match(this.validationOptions.fileType)
+      );
+    } catch {
+      return false;
+    }
   }
 }
diff --git a/packages/common/pipes/file/interfaces/file.interface.ts b/packages/common/pipes/file/interfaces/file.interface.ts
@@ -1,4 +1,5 @@
 export interface IFile {
   mimetype: string;
   size: number;
+  buffer?: Buffer;
 }