Skip to content

fix(api): harden sme invoice upload presigned urls#241

Merged
mikewheeleer merged 2 commits into
Liquifact:mainfrom
levoski1:security/sme-upload-hardening
May 27, 2026
Merged

fix(api): harden sme invoice upload presigned urls#241
mikewheeleer merged 2 commits into
Liquifact:mainfrom
levoski1:security/sme-upload-hardening

Conversation

@levoski1
Copy link
Copy Markdown
Contributor

@levoski1 levoski1 commented May 27, 2026
edited
Loading

Closes #226

Summary

Hardens the SME invoice upload flow with presigned URL validation, MIME type enforcement, size limits, tenant-scoped keys, path traversal prevention, and bounded URL expiry.

Changes

src/services/storage.js

  • Restrict accepted MIME types: application/pdf, image/jpeg, image/png, image/tiff
  • Enforce max file size (512 KB, configurable via BODY_LIMIT_INVOICE)
  • Sanitize filenames: strip path separators, null bytes, .., special chars
  • Generate tenant/invoice-scoped keys: tenants/{tenantId}/invoices/{invoiceId}/{uuid}-{filename}
  • Bound presigned URL TTL: 15 min upload, 1 h download (max 24 h)
  • getPresignedUploadUrl(): generates upload URLs with Content-Type/Content-Length constraints
  • getSignedUrl(): bounded expiry for download URLs
  • Never expose or log AWS credentials

src/routes/sme/index.js

  • New POST /api/sme/invoice/presigned-url endpoint for requesting presigned upload URLs
  • Existing POST /api/sme/invoice hardened with tenant/invoice scoping

src/routes/invoiceFile.js

  • New POST /api/invoices/:id/presigned-upload endpoint scoped to invoice

src/app.js

  • Mount SME and invoiceFile routes in createApp()

tests/sme.upload.test.js

  • MIME type validation (accept/reject)
  • File size rejection
  • Presigned URL generation
  • Tenant-scoped key generation
  • Path traversal prevention
  • Credential non-leakage
  • InvoiceFile route tests

docs/email-ops.md

  • Added SME Invoice Upload Security Hardening section

Testing

  • All storage service hardening logic verified: MIME validation, filename sanitization, key scoping, size enforcement
  • Route behavior tested via mocked storage service
  • CI pipeline runs npm test (Jest with --runInBand --forceExit)

Security Notes

  • AWS credentials are never returned in API responses or logged
  • MIME types validated server-side before URL generation
  • Content-Type and Content-Length embedded in presigned URLs for S3-side enforcement
  • Error messages do not leak internal state or stack traces
  • Object keys include UUID to prevent enumeration

@levoski1
fix(api): harden sme invoice upload presigned urls
2ec8d47 
- Restrict MIME types to PDF/JPEG/PNG/TIFF with server-side validation
- Enforce 512KB max file size consistent with BODY_LIMIT_INVOICE
- Generate tenant/invoice-scoped S3 object keys (tenants/{t}/invoices/{i}/{uuid}-{file})
- Sanitize filenames to prevent path traversal (strip .., null bytes, special chars)
- Bound presigned URL TTL (15min upload, 1h download default, max 24h)
- Never expose AWS credentials in responses or logs
- Add presigned upload URL endpoint (POST /api/sme/invoice/presigned-url)
- Mount SME and invoice file routes in createApp()
- Comprehensive tests: MIME validation, oversize rejection, filename sanitization,
  tenant scoping, credential non-leakage, key generation
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 27, 2026

@levoski1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@mikewheeleer mikewheeleer merged commit e82db48 into Liquifact:main May 27, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sign and verify S3 presigned upload URLs and validate file type/size in the SME invoice upload path

2 participants

@levoski1 @mikewheeleer