From 527257fe71e1c1a178e15d715e033886d73bc50b Mon Sep 17 00:00:00 2001 From: Avinash Kumar <44425342+avinash0786@users.noreply.github.com> Date: Mon, 25 May 2026 19:17:52 +0530 Subject: [PATCH] Fix: Vulnerability CVE-2026-31808 Fix file-type Downstream callers (upp-report, xcro-utils) -- Must add await there or returns get treated as truthy Promise. --- fileValidator/index.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fileValidator/index.js b/fileValidator/index.js index 1efd3d3..4507cc7 100644 --- a/fileValidator/index.js +++ b/fileValidator/index.js @@ -1,6 +1,6 @@ const readChunk = require('read-chunk'); -const fileType = require('file-type'); +const { fileTypeFromBuffer, reasonableDetectionSizeInBytes } = require('file-type'); const textFormat = ['csv', 'txt', 'html', 'htm', 'css', 'ini', 'json', 'tsv', 'xml', 'yaml', 'yml', 'rst', 'md']; function toArrayBuffer(buf, length) { @@ -43,20 +43,20 @@ function validateOldMSOffice(options) { return hex == 'D0CF11E0A1B11AE1'; } -function vatidateFile(options, ext) { +async function vatidateFile(options, ext) { if (textFormat.indexOf(ext) > -1) return true; //validateTextFormat(options); if (['doc', 'xls', 'ppt', 'msg'].indexOf(ext) > -1) return validateOldMSOffice(options); - let buffer = options.type == 'Binary' ? readChunk.sync(options.path, 0, fileType.minimumBytes) : toArrayBuffer(options.data, fileType.minimumBytes); + let buffer = options.type == 'Binary' ? readChunk.sync(options.path, 0, reasonableDetectionSizeInBytes) : toArrayBuffer(options.data, reasonableDetectionSizeInBytes); //remove BOM encoding if (ext == 'xml') { let hex = options.type == 'Binary' ? getHex(readChunk.sync(options.path, 0, 3), 3) : getHex(options.data, 3); if (hex == 'EFBBBF') buffer = buffer.slice(3); } - let fileTypeObj = fileType(buffer); + let fileTypeObj = await fileTypeFromBuffer(buffer); if (!fileTypeObj) return false; if ((fileTypeObj.ext == 'jpg' || fileTypeObj.ext == 'jpeg') && (ext == 'jpg' || ext == 'jpeg')) return true; return fileTypeObj.ext == ext; } -module.exports = vatidateFile; \ No newline at end of file +module.exports = vatidateFile;