Skip to content

Update validation.py #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MasterAffan merged 1 commit into from
Oct 26, 2025
Merged

Update validation.py #83

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion optifit backend/validation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import os
import uuid

import mimetypes
class APIError(Exception):
def __init__(self, message, status_code=500):
self.message = message
Expand Down Expand Up @@ -88,6 +88,14 @@ def validate_video_file(file):
f"Unsupported file format '{file_ext}'. "
f"Allowed formats: {', '.join(ALLOWED_EXTENSIONS)}"
)
#mime type check
mime_type, _ = mimetypes.guess_type(file.filename)
if not mime_type or not mime_type.startswith('video/'):
raise UnsupportedMediaTypeError(f"Invalid MIME type: {mime_type}")
Comment on lines +91 to +94
Copy link

@coderabbitai coderabbitai bot Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: MIME validation is ineffective for security - validates filename only, not content.

mimetypes.guess_type() determines the MIME type based solely on the filename extension, not the actual file content. This means:

  • A malicious executable renamed to malware.mp4 will pass this validation
  • This check duplicates the extension validation already performed on lines 85-90
  • The PR description claims to prevent processing "dangerous or invalid files" based on their "actual nature," but this implementation does not achieve that goal

To properly validate file content, use a library that reads the file's magic bytes/signature:

Option 1 (Recommended): Use python-magic

Install the library:

pip install python-magic

Then replace the MIME validation with content-based detection:

-    #mime type check
-    mime_type, _ = mimetypes.guess_type(file.filename)
-    if not mime_type or not mime_type.startswith('video/'):
-        raise UnsupportedMediaTypeError(f"Invalid MIME type: {mime_type}")
+    # MIME type check based on file content
+    import magic
+    file.seek(0)
+    file_header = file.read(2048)
+    file.seek(0)
+    mime_type = magic.from_buffer(file_header, mime=True)
+    if not mime_type or not mime_type.startswith('video/'):
+        raise UnsupportedMediaTypeError(f"Invalid MIME type: {mime_type}. File content does not match a video format.")

Option 2: Use filetype library

Install the library:

pip install filetype

Then replace the MIME validation:

-    #mime type check
-    mime_type, _ = mimetypes.guess_type(file.filename)
-    if not mime_type or not mime_type.startswith('video/'):
-        raise UnsupportedMediaTypeError(f"Invalid MIME type: {mime_type}")
+    # MIME type check based on file content
+    import filetype
+    file.seek(0)
+    file_header = file.read(262)
+    file.seek(0)
+    kind = filetype.guess(file_header)
+    if not kind or not kind.mime.startswith('video/'):
+        raise UnsupportedMediaTypeError(f"Invalid file type. File content does not match a video format.")
🧰 Tools
🪛 Ruff (0.14.1)

94-94: Avoid specifying long messages outside the exception class

(TRY003)


#reset point for later processing
file.seek(0)
return True


# Validating the job request for getting the results
Expand Down
Loading