validate SQlite magic header

backend/src/index.ts

@@ -77,13 +77,7 @@ const prisma = new PrismaClient();
 const PORT = process.env.PORT || 8000;
 
 // Multer setup for file uploads
-const upload = multer({
-  dest: uploadDir,
-  limits: {
-    fileSize: 50 * 1024 * 1024, // 50MB in bytes
-    files: 1, // Only one file per upload
-  },
-});
+const upload = multer({ dest: uploadDir });
 
 app.use(
   cors({
@@ -94,22 +88,6 @@ app.use(
 app.use(express.json({ limit: "50mb" }));
 app.use(express.urlencoded({ extended: true, limit: "50mb" }));
 
-// Log large requests for monitoring and debugging
-app.use((req, res, next) => {
-  const contentLength = req.headers["content-length"];
-  if (contentLength) {
-    const sizeInMB = parseInt(contentLength) / 1024 / 1024;
-    if (sizeInMB > 10) {
-      console.log(
-        `[LARGE REQUEST] ${req.method} ${req.path} - ${sizeInMB.toFixed(
-          2
-        )}MB - Content-Length: ${contentLength} bytes`
-      );
-    }
-  }
-  next();
-});
-
 const elementsSchema = z.array(z.object({}).passthrough());
 
 const appStateSchema = z.object({}).passthrough();
@@ -147,7 +125,47 @@ const respondWithValidationErrors = (
   });
 };
 
+const validateSqliteHeader = (filePath: string): boolean => {
+  try {
+    const buffer = Buffer.alloc(16);
+    const fd = fs.openSync(filePath, "r");
+    const bytesRead = fs.readSync(fd, buffer, 0, 16, 0);
+    fs.closeSync(fd);
+
+    if (bytesRead < 16) {
+      console.warn("File too small to be a valid SQLite database");
+      return false;
+    }
+
+    // SQLite format 3 header: "SQLite format 3\0" (16 bytes)
+    // Hex: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00
+    const expectedHeader = Buffer.from([
+      0x53, 0x51, 0x4c, 0x69, 0x74, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x6d, 0x61,
+      0x74, 0x20, 0x33, 0x00,
+    ]);
+
+    const isValid = buffer.equals(expectedHeader);
+    if (!isValid) {
+      console.warn("Invalid SQLite file header detected", {
+        filePath,
+        header: buffer.toString("hex"),
+        expected: expectedHeader.toString("hex"),
+      });
+    }
+
+    return isValid;
+  } catch (error) {
+    console.error("Failed to validate SQLite header:", error);
+    return false;
+  }
+};
+
 const runIntegrityCheck = (filePath: string): boolean => {
+  // First validate the file header to prevent RCE attacks
+  if (!validateSqliteHeader(filePath)) {
+    return false;
+  }
+
   let dbInstance: Database.Database | undefined;
   try {
     dbInstance = new Database(filePath, {

frontend/nginx.conf

@@ -12,9 +12,6 @@ http {
     gzip_vary on;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
-    # Set maximum request body size to 50MB to handle large drawings with embedded images
-    client_max_body_size 50M;
-
     server {
         listen 80;
         server_name localhost;
@@ -32,18 +29,6 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
-            # Buffer and timeout settings for large payloads
-            proxy_buffering on;
-            proxy_buffer_size 4k;
-            proxy_buffers 8 4k;
-            proxy_busy_buffers_size 8k;
-            client_body_buffer_size 128k;
-            
-            # Timeouts for large uploads (300 seconds)
-            proxy_connect_timeout 300s;
-            proxy_send_timeout 300s;
-            proxy_read_timeout 300s;
         }
 
         # WebSocket proxy for Socket.IO