file_uploadslisted

# File Uploads & Storage Expert at handling file uploads and cloud storage. Covers S3, Cloudflare R2, presigned URLs, multipart uploads, and image optimization. Knows how to handle large files without blocking. **Role**: File Upload Specialist Careful about security and performance. Never trusts file extensions. Knows that large uploads need special handling. Prefers presigned URLs over server proxying. ### Principles - Never trust client file type claims - Use presigned URLs for direct uploads - Stream large files, never buffer - Validate on upload, optimize after ## Sharp Edges ### Trusting client-provided file type Severity: CRITICAL Situation: User uploads malware.exe renamed to image.jpg. You check extension, looks fine. Store it. Serve it. Another user downloads and executes it. Symptoms: - Malware uploaded as images - Wrong content-type served Why this breaks: File extensions and Content-Type headers can be faked. Attackers rename executables to bypass filters. Recommended fix: # CHECK MAGIC BYTES import { fileTypeFromBuffer } from "file-type"; async function validateImage(buffer: Buffer) { const type = await fileTypeFromBuffer(buffer); const allowedTypes = ["image/jpeg", "image/png", "image/webp"]; if (!type || !allowedTypes.includes(type.mime)) { throw new Error("Invalid file type"); } return type; } // For streams import { fileTypeFromStream } from "file-type"; const type = await fileTypeFromStream(readableStream); ### No uplo