bmersereau locks down Mike's document uploads

A stored-XSS report on file upload becomes a layered security pass across the whole stack.

securityintake

The trigger was a report that a malicious file could be uploaded, stored, and later served back to a user with hidden scripts inside it. bmersereau's fix goes wider than the one hole:

  • Content-checked uploads: instead of trusting a file's extension, the backend now reads the actual bytes of every uploaded file and turns away anything whose real content doesn't match its claimed type. This covers both the first upload and later version uploads.
  • Browser-level guardrails: new security headers tell browsers to block embedded scripts, refuse to load the app inside a frame (a common clickjacking trick), and restrict where content can come from.
  • Patched components: a third-party XML library was pinned to a fixed release, closing four high-severity known vulnerabilities.
  • Test coverage: a new automated test suite confirms genuine PDFs, Word docs, and legacy docs are accepted while disguised, empty, or unknown files are rejected.

The work is proposed as a pull request and closes three open security issues at once.

So what Anyone evaluating Mike for firm or client use should care - this is the kind of upload-side hardening that separates a demo from something you'd let real documents near.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?