soft-eng-practicum
diff --git a/‎README.md‎
Lines changed: 14 additions & 1 deletion b/‎README.md‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎src/Analysim.Core/Helper/FileTypeValidator.cs‎
Lines changed: 180 additions & 0 deletions b/‎src/Analysim.Core/Helper/FileTypeValidator.cs‎
Lines changed: 180 additions & 0 deletions
diff --git a/‎src/Analysim.Core/Helper/FileValidationSettings.cs‎
Lines changed: 60 additions & 0 deletions b/‎src/Analysim.Core/Helper/FileValidationSettings.cs‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎src/Analysim.Web/Controllers/AccountController.cs‎
Lines changed: 15 additions & 6 deletions b/‎src/Analysim.Web/Controllers/AccountController.cs‎
Lines changed: 15 additions & 6 deletions
@@ -78,11 +78,24 @@ Analysim requires two databases to operate: one SQL database (PostgreSQL) for re
   "AdminUsers": [
   "ADMIN",
   "XXX"
-  ]
+  ],
+  "FileValidation": {
+    "MaxProfileImageSize": 5242880,
+    "MaxProjectFileSize": 104857600,
+    "MaxNotebookFileSize": 52428800,
+    "AllowedImageExtensions": [".jpg", ".jpeg", ".png", ".gif", ".webp"],
+    "AllowedProjectFileExtensions": [".csv", ".json", ".txt", ".xlsx", ".xls", ".pdf", ".xml", ".tsv", ".dat"],
+    "AllowedNotebookExtensions": [".ipynb"],
+    "BlockedExtensions": [".exe", ".bat", ".cmd", ".sh", ".ps1", ".app", ".dll", ".so", ".dmg", ".pkg", ".msi", ".deb", ".rpm", ".apk", ".zip", ".rar", ".7z", ".tar", ".gz", ".scr", ".vbs", ".js", ".py", ".rb", ".pl"]
+  }
 }
 
 ```
 
+#### File validation settings
+
+The `FileValidation` section controls the file upload validation rules. You can customize the maximum file sizes (in bytes) and the lists of allowed/blocked file extensions for profile images, project data files, and notebook uploads. These settings are read at startup and injected into the controllers via dependency injection.
+
 #### Adding admin users
 
 Admin access in Analysim is controlled through the AdminUsers section of the `appsettings.json` and `appsettings.Development.json`. Each entry in the list corresponds to the username of a registered Analysim user. Admin users will see an Admin link in the navigation bar and can access the /admin section of the platform. To add or remove admin privileges, simply update this list and restart the server.
 
@@ -0,0 +1,180 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+
+namespace Core.Helper
+{
+    /// <summary>
+    /// Validates file uploads based on extension, MIME type, and file signature
+    /// Uses an allowlist approach to prevent malicious file uploads
+    /// </summary>
+    public class FileTypeValidator
+    {
+        private readonly FileValidationSettings _settings;
+
+        /// <summary>
+        /// Magic numbers (file signatures) for common file types
+        /// Used to verify that file content matches the claimed extension
+        /// </summary>
+        private static readonly Dictionary<byte[], string> FileMagicNumbers = new Dictionary<byte[], string>
+        {
+            { new byte[] { 0xFF, 0xD8, 0xFF }, ".jpg" },      // JPEG
+            { new byte[] { 0x89, 0x50, 0x4E, 0x47 }, ".png" }, // PNG
+            { new byte[] { 0x47, 0x49, 0x46 }, ".gif" },       // GIF
+            { new byte[] { 0x52, 0x49, 0x46, 0x46 }, ".webp" }, // WEBP
+            { new byte[] { 0x50, 0x4B, 0x03, 0x04 }, ".xlsx" }, // XLSX (zip-based)
+            { new byte[] { 0x50, 0x4B, 0x03, 0x04 }, ".zip" },  // ZIP
+            { new byte[] { 0x25, 0x50, 0x44, 0x46 }, ".pdf" },  // PDF
+            { new byte[] { 0x7B, 0x0A }, ".json" },             // JSON (basic check)
+            { new byte[] { 0x23, 0x0A }, ".ipynb" }             // Jupyter (text-based)
+        };
+
+        public FileTypeValidator(FileValidationSettings settings)
+        {
+            _settings = settings ?? throw new ArgumentNullException(nameof(settings));
+        }
+
+        /// <summary>
+        /// Validates a profile image upload
+        /// </summary>
+        public (bool IsValid, string ErrorMessage) ValidateProfileImage(string fileName, byte[] fileContent)
+        {
+            return ValidateFile(fileName, fileContent, _settings.AllowedImageExtensions, maxSize: _settings.MaxProfileImageSize);
+        }
+
+        /// <summary>
+        /// Validates a project file upload
+        /// </summary>
+        public (bool IsValid, string ErrorMessage) ValidateProjectFile(string fileName, byte[] fileContent)
+        {
+            return ValidateFile(fileName, fileContent, _settings.AllowedProjectFileExtensions, maxSize: _settings.MaxProjectFileSize);
+        }
+
+        /// <summary>
+        /// Validates a notebook file upload
+        /// </summary>
+        public (bool IsValid, string ErrorMessage) ValidateNotebookFile(string fileName, byte[] fileContent)
+        {
+            // Notebooks must be .ipynb only
+            var result = ValidateFile(fileName, fileContent, _settings.AllowedNotebookExtensions, maxSize: _settings.MaxNotebookFileSize);
+
+            if (!result.IsValid)
+                return result;
+
+            // Additional validation: Notebooks should be JSON text files
+            if (!IsValidJsonContent(fileContent))
+                return (false, "Invalid Jupyter notebook format. Must be a valid JSON file.");
+
+            return (true, string.Empty);
+        }
+
+        /// <summary>
+        /// Generic file validation
+        /// </summary>
+        private (bool IsValid, string ErrorMessage) ValidateFile(
+            string fileName,
+            byte[] fileContent,
+            List<string> allowedExtensions,
+            int maxSize)
+        {
+            if (fileContent == null || fileContent.Length == 0)
+                return (false, "File content is empty.");
+
+            // Check file size
+            if (fileContent.Length > maxSize)
+                return (false, $"File size exceeds maximum allowed size of {maxSize} bytes.");
+
+            // Get extension
+            var extension = Path.GetExtension(fileName)?.ToLower();
+            if (string.IsNullOrEmpty(extension))
+                return (false, "File has no extension.");
+
+            // Check if extension is blocked
+            if (_settings.BlockedExtensions?.Contains(extension) == true)
+                return (false, $"File type '{extension}' is not allowed.");
+
+            // Check if extension is in allowlist
+            if (!allowedExtensions.Contains(extension))
+                return (false, $"File type '{extension}' is not allowed. Allowed types: {string.Join(", ", allowedExtensions)}");
+
+            // Verify file signature matches extension (magic number check)
+            if (!VerifyFileSignature(fileContent, extension))
+                return (false, $"File content does not match the file extension. Possible file type mismatch or corruption.");
+
+            return (true, string.Empty);
+        }
+
+        /// <summary>
+        /// Verifies file signature (magic number) matches the claimed extension
+        /// </summary>
+        private bool VerifyFileSignature(byte[] fileContent, string extension)
+        {
+            if (fileContent == null || fileContent.Length == 0)
+                return false;
+
+            // For text-based formats, perform basic validation
+            if (extension == ".json" || extension == ".ipynb")
+                return IsValidJsonContent(fileContent);
+
+            if (extension == ".csv" || extension == ".txt" || extension == ".tsv" || extension == ".dat")
+                return IsValidTextContent(fileContent);
+
+            // For binary formats, check magic numbers
+            foreach (var kvp in FileMagicNumbers)
+            {
+                if (fileContent.Length >= kvp.Key.Length &&
+                    fileContent.Take(kvp.Key.Length).SequenceEqual(kvp.Key))
+                {
+                    return kvp.Value == extension || (kvp.Value == ".xlsx" && extension == ".xls");
+                }
+            }
+
+            // If no magic number matched, assume it's okay for formats we can't verify
+            // (like CSV, TXT, XML without specific magic numbers)
+            if (extension == ".xml")
+                return IsValidTextContent(fileContent) && fileContent.ToString().Contains("<");
+
+            return true; // Allow if we can't determine a signature
+        }
+
+        /// <summary>
+        /// Checks if file content is valid JSON
+        /// </summary>
+        private bool IsValidJsonContent(byte[] fileContent)
+        {
+            try
+            {
+                var text = System.Text.Encoding.UTF8.GetString(fileContent);
+                var trimmed = text.Trim();
+
+                // Basic JSON structure check
+                return (trimmed.StartsWith("{") && trimmed.EndsWith("}")) ||
+                       (trimmed.StartsWith("[") && trimmed.EndsWith("]"));
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Checks if file content is valid text
+        /// </summary>
+        private bool IsValidTextContent(byte[] fileContent)
+        {
+            try
+            {
+                // Attempt to decode as UTF-8
+                var text = System.Text.Encoding.UTF8.GetString(fileContent);
+
+                // Check for null characters (indicator of binary content)
+                return !text.Contains("\0");
+            }
+            catch
+            {
+                return false;
+            }
+        }
+    }
+}
@@ -0,0 +1,60 @@
+using System.Collections.Generic;
+
+namespace Core.Helper
+{
+    /// <summary>
+    /// Configuration settings for file validation
+    /// Loaded from appsettings.json FileValidation section
+    /// </summary>
+    public class FileValidationSettings
+    {
+        /// <summary>
+        /// Maximum size for profile image uploads in bytes (default: 5 MB)
+        /// </summary>
+        public int MaxProfileImageSize { get; set; } = 5 * 1024 * 1024; // 5 MB
+
+        /// <summary>
+        /// Maximum size for project file uploads in bytes (default: 100 MB)
+        /// </summary>
+        public int MaxProjectFileSize { get; set; } = 100 * 1024 * 1024; // 100 MB
+
+        /// <summary>
+        /// Maximum size for notebook file uploads in bytes (default: 50 MB)
+        /// </summary>
+        public int MaxNotebookFileSize { get; set; } = 50 * 1024 * 1024; // 50 MB
+
+        /// <summary>
+        /// Allowed file extensions for profile images
+        /// </summary>
+        public List<string> AllowedImageExtensions { get; set; } = new List<string>
+        {
+            ".jpg", ".jpeg", ".png", ".gif", ".webp"
+        };
+
+        /// <summary>
+        /// Allowed file extensions for project data files
+        /// </summary>
+        public List<string> AllowedProjectFileExtensions { get; set; } = new List<string>
+        {
+            ".csv", ".json", ".txt", ".xlsx", ".xls", ".pdf", ".xml", ".tsv", ".dat"
+        };
+
+        /// <summary>
+        /// Allowed file extensions for notebook files
+        /// </summary>
+        public List<string> AllowedNotebookExtensions { get; set; } = new List<string>
+        {
+            ".ipynb"
+        };
+
+        /// <summary>
+        /// File extensions to block (dangerous executables and scripts)
+        /// </summary>
+        public List<string> BlockedExtensions { get; set; } = new List<string>
+        {
+            ".exe", ".bat", ".cmd", ".sh", ".ps1", ".app", ".dll", ".so", ".dmg",
+            ".pkg", ".msi", ".deb", ".rpm", ".apk", ".zip", ".rar", ".7z", ".tar",
+            ".gz", ".scr", ".vbs", ".js", ".py", ".rb", ".pl"
+        };
+    }
+}
@@ -41,18 +41,21 @@ public class AccountController : ControllerBase
         private readonly ApplicationDbContext _dbContext;
         private readonly ILoggerManager _loggerManager;
         private readonly IMailNetService _mailNetService;
+        private readonly FileValidationSettings _fileValidationSettings;
 
         private readonly IConfiguration _configuration;
 
         public AccountController(IOptions<JwtSettings> jwtSettings, UserManager<User> userManager,
             SignInManager<User> signManager, ApplicationDbContext dbContext,
                                  ILoggerManager loggerManager,
-                                 IMailNetService mailNetService,IConfiguration configuration)
+                                 IMailNetService mailNetService,IConfiguration configuration,
+                                 IOptions<FileValidationSettings> fileValidationSettings)
         {
             _jwtSettings = jwtSettings.Value;
             _userManager = userManager;
             _signManager = signManager;
             _dbContext = dbContext;
+            _fileValidationSettings = fileValidationSettings.Value;
             _loggerManager = loggerManager;
             _mailNetService = mailNetService;
             _configuration = configuration;
@@ -79,7 +82,7 @@ public IActionResult GetUserByID([FromRoute] int id)
             // user.EmailConfirmed ;
             return Ok(new
             {
-                result = user,
+                result = ViewModels.Account.UserSafeDTO.FromUser(user),
                 message = "Received User: " + user.UserName
             });
         }
@@ -126,7 +129,7 @@ public IActionResult GetUserByName([FromRoute] string username)
             if (user == null) return NotFound(new { message = "User Not Found" });
             return Ok(new
             {
-                result = user,
+                result = ViewModels.Account.UserSafeDTO.FromUser(user),
                 message = "Received User: " + user.UserName
             });
         }
@@ -152,7 +155,7 @@ public IActionResult GetUserRange([FromQuery(Name = "id")] List<int> ids)
 
             return Ok(new
             {
-                result = users,
+                result = ViewModels.Account.UserSafeDTO.FromUsers(users),
                 message = "Received User Range"
             });
         }
@@ -176,7 +179,7 @@ public IActionResult GetUserList()
 
             return Ok(new
             {
-                result = users,
+                result = ViewModels.Account.UserSafeDTO.FromUsers(users),
                 message = "Received User List"
             });
         }
@@ -224,7 +227,7 @@ public IActionResult Search([FromQuery(Name = "term")] List<string> searchTerms)
 
             return Ok(new
             {
-                result = matchedUser,
+                result = ViewModels.Account.UserSafeDTO.FromUsers(matchedUser.ToList()),
                 message = "Search Successful"
             });
         }
@@ -783,6 +786,12 @@ public async Task<IActionResult> UploadProfileImage([FromForm] AccountUploadVM f
                 await formdata.File.CopyToAsync(memoryStream);
                 var fileContent = memoryStream.ToArray();
 
+                // Validate file type and size for profile image
+                var fileValidator = new Core.Helper.FileTypeValidator(_fileValidationSettings);
+                var validationResult = fileValidator.ValidateProfileImage(formdata.File.FileName, fileContent);
+                if (!validationResult.IsValid)
+                    return BadRequest(validationResult.ErrorMessage);
+
                 // Check For Existing
                 var blobFile = _dbContext.BlobFiles.FirstOrDefault(x => x.UserID == user.Id && x.Name == "profileImage");
                 if (blobFile != null)