security(import): validate PDF magic bytes in MassImportService before S3 upload #529

New Issue

Open

opened 2026-05-11 20:13:32 +02:00 by marcel · 0 comments

marcel commented 2026-05-11 20:13:32 +02:00

Owner

Copy Link

Type: Security hardening (input validation)
Priority: P1-high — prod-reachable file ingestion with no content-type check
Source: review of #526 by Nora "NullX" Steiner — comment #8648, finding 5
Parent PR: #526 (mass-import bind mount → first prod-reachable use)

Summary

Before uploading any file to S3, MassImportService MUST read the first 4 bytes and reject anything that doesn't carry the PDF magic header (%PDF). Rejections MUST be counted and surfaced in ImportStatus.

Context

MassImportService reads filenames from the ODS spreadsheet, walks /import for matching files, and uploads whatever it finds to S3 via S3Client.putObject (MassImportService.java:153, :381). Currently no content-type validation: a file named Letter-1947.pdf could be a renamed .zip (potentially exploiting downstream PDF parsers), a .html (XSS via signed S3 URL preview), or arbitrary bytes — and the OCR/thumbnail pipeline would then process the garbage.

With #526 making this endpoint prod-reachable, the upload-anything behaviour is now an issue.

Required

1. Before each s3Client.putObject(...) call in MassImportService, read the first 4 bytes of the file and reject anything not matching the PDF magic header (25 50 44 46 = %PDF).
2. Reject and log the rejection with originalFilename and the actual first bytes (sanitized via SLF4J {} placeholder, per Nora's Log4Shell point).
3. Surface the rejection in the ImportStatus — counter of skipped files alongside the existing processed counter, so the operator sees what happened.
4. Permanent regression test: temp dir with one valid PDF (header %PDF-) and one renamed text file (txt-as-pdf.pdf containing not a pdf); assert one upload + one skip + status message lists the rejected filename.

Out of scope

• MIME-type sniffing beyond the PDF case. The ODS payload is well-defined: ODS spreadsheet + PDFs. Extending to images (JPEG/PNG magic) is a separate decision.

Acceptance criteria

• Failing-then-passing regression test as above
• ImportStatus exposes a skipped count and a skippedFiles list (or similar)
• Frontend admin status card surfaces the skipped count (per Leonie's follow-up #533 too)
• Rejection log line uses SLF4J {} placeholders, not string concatenation

Linked NFRs

• Security: File uploads MUST be validated against an expected magic byte signature before being persisted to S3.
• Observability: Skipped files MUST be visible in ImportStatus (count + filename list).
• Usability (admin): Operator MUST be able to tell at a glance from the admin status card how many files were skipped and why.

Definition of Ready

• Problem statement clear
• Magic byte spec (%PDF) defined
• Status surface change identified
• Acceptance criteria testable

🤖 Generated with Claude Code during /implement on #526

**Type:** Security hardening (input validation) **Priority:** P1-high — prod-reachable file ingestion with no content-type check **Source:** review of #526 by Nora "NullX" Steiner — comment [#8648](https://git.raddatz.cloud/marcel/familienarchiv/pulls/526#issuecomment-8648), finding 5 **Parent PR:** #526 (mass-import bind mount → first prod-reachable use) ## Summary Before uploading any file to S3, `MassImportService` MUST read the first 4 bytes and reject anything that doesn't carry the PDF magic header (`%PDF`). Rejections MUST be counted and surfaced in `ImportStatus`. ## Context `MassImportService` reads filenames from the ODS spreadsheet, walks `/import` for matching files, and uploads whatever it finds to S3 via `S3Client.putObject` (`MassImportService.java:153`, `:381`). Currently no content-type validation: a file *named* `Letter-1947.pdf` could be a renamed `.zip` (potentially exploiting downstream PDF parsers), a `.html` (XSS via signed S3 URL preview), or arbitrary bytes — and the OCR/thumbnail pipeline would then process the garbage. With #526 making this endpoint prod-reachable, the upload-anything behaviour is now an issue. ## Required 1. Before each `s3Client.putObject(...)` call in `MassImportService`, read the first 4 bytes of the file and reject anything not matching the PDF magic header (`25 50 44 46` = `%PDF`). 2. Reject and log the rejection with `originalFilename` and the actual first bytes (sanitized via SLF4J `{}` placeholder, per Nora's Log4Shell point). 3. Surface the rejection in the `ImportStatus` — counter of skipped files alongside the existing `processed` counter, so the operator sees what happened. 4. Permanent regression test: temp dir with one valid PDF (header `%PDF-`) and one renamed text file (`txt-as-pdf.pdf` containing `not a pdf`); assert one upload + one skip + status message lists the rejected filename. ## Out of scope - MIME-type sniffing beyond the PDF case. The ODS payload is well-defined: ODS spreadsheet + PDFs. Extending to images (JPEG/PNG magic) is a separate decision. ## Acceptance criteria - [ ] Failing-then-passing regression test as above - [ ] `ImportStatus` exposes a `skipped` count and a `skippedFiles` list (or similar) - [ ] Frontend admin status card surfaces the skipped count (per Leonie's follow-up #533 too) - [ ] Rejection log line uses SLF4J `{}` placeholders, not string concatenation ## Linked NFRs - **Security:** File uploads MUST be validated against an expected magic byte signature before being persisted to S3. - **Observability:** Skipped files MUST be visible in `ImportStatus` (count + filename list). - **Usability (admin):** Operator MUST be able to tell at a glance from the admin status card how many files were skipped and why. ## Definition of Ready - [x] Problem statement clear - [x] Magic byte spec (`%PDF`) defined - [x] Status surface change identified - [x] Acceptance criteria testable 🤖 Generated with [Claude Code](https://claude.com/claude-code) during /implement on #526

marcel referenced this issue 2026-05-11 20:14:42 +02:00

feat(infra): bind-mount /import for backend mass-import endpoint #526

marcel referenced this issue 2026-05-11 20:35:46 +02:00

security(import): reject path-traversal filenames from ODS in MassImportService.processRows #530

marcel referenced this issue 2026-05-11 20:36:23 +02:00

ui(admin/system): improve mass-import status card (loading state, i18n, font size) #533

marcel added the P1-highfile-uploadsecurity labels 2026-05-11 20:36:40 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-533-mass-import-ux

feat/issue-527-unsaved-warning-new-pages

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label P1-high file-upload security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#529