Validate upload content before persisting to /uploads by ORDL-AMF · Pull Request #2 · Open-Research-Development-Laboratories/ordl-aether

ORDL-AMF · 2026-03-10T07:29:38Z

Close a stored-XSS/content-hosting hole where uploaded bytes were saved with attacker-controlled extensions and exposed at /uploads without content validation.
Ensure only bona fide raster images are persisted so the static /uploads mount cannot serve HTML/SVG/JS from user uploads.

Replaced extension-from-filename/content-type logic with a content-based validator by adding _validated_image_suffix(content: bytes) which attempts to parse the bytes with Pillow and maps trusted raster formats to safe extensions (.jpg, .png, .webp, .gif, .bmp, .tiff).
Updated _persist_uploaded_asset to call _validated_image_suffix and only write files when the content is a supported image; otherwise it returns None and logs a warning, preserving existing behavior of returning asset_url when persisted.
Added imports required for validation (BytesIO, PIL.Image, UnidentifiedImageError) and removed the prior filename-suffix reliance.

Ran python -m py_compile aether-system/backend/api/routes.py and it succeeded to validate syntax.
Attempted a small runtime validation of _validated_image_suffix but the environment lacked fastapi which caused import failure (ModuleNotFoundError: No module named 'fastapi'), so dynamic execution tests were not completed.
Committed the change after static checks and ensured the modified module compiles cleanly.

Validate uploaded assets before persisting to /uploads

70a35f2

ORDL-AMF added codex aardvark labels Mar 10, 2026 — with ChatGPT Codex Connector

Provide feedback