Summary
Upload validation is still inconsistent across /api/upload, /api/voice, and Telegram/Discord attachment flows. Avatar uploads now have a basic validator, but the common save path still trusts headers and extensions too much.
Current Review Status
- Partial after the 2026-04-18 pull audit
src/routes/avatar.ts validates content-type/ext/body basics/api/upload, /api/voice, Telegram voice/photo/document, and Discord attachments still flow into saveUpload() without magic-byte checks
Why This Matters
Malformed or mislabeled payloads can still be stored first and fail only later.
Suggested Scope
- Add lightweight content validation helpers in
lib/upload.ts
- Use category-specific allowlists (avatar / voice / generic upload)
- Add image/audio signature checks before storage
Evidence
src/routes/avatar.ts:59-116src/routes/messaging.ts:76-80,125-130src/telegram/voice.ts:21-22src/telegram/bot.ts:535-551src/discord/bot.ts
Summary
Upload validation is still inconsistent across
/api/upload,/api/voice, and Telegram/Discord attachment flows. Avatar uploads now have a basic validator, but the common save path still trusts headers and extensions too much.Current Review Status
src/routes/avatar.tsvalidates content-type/ext/body basics/api/upload,/api/voice, Telegram voice/photo/document, and Discord attachments still flow intosaveUpload()without magic-byte checksWhy This Matters
Malformed or mislabeled payloads can still be stored first and fail only later.
Suggested Scope
lib/upload.tsEvidence
src/routes/avatar.ts:59-116src/routes/messaging.ts:76-80,125-130src/telegram/voice.ts:21-22src/telegram/bot.ts:535-551src/discord/bot.ts