Security & File Protection
Uploading external files is a primary attack vector. The API gateway establishes rigorous boundaries.
Protection Layers​
1. Payload Size & Streaming​
- Max File Size: Hard limit set to 50MB via Multer.
- Zip Bombs: XLSX files (which are zipped XMLs) are scanned via streaming parsers that abort if the decompressed size multiplier exceeds safety thresholds.
2. File Type Spoofing​
- Extensions are checked against magic bytes.
.csvand.xlsxmust legitimately match text or zip signatures.
3. Formula Injection (CSV Injection)​
- Sanitization: Any cell value starting with
=,+,-, or@is prepended with a single quote'to prevent execution in spreadsheet software when reports are exported.
4. Tenant Quotas & Rate Limiting​
- Upload limits are tied to
vendorId. - Redis-based rate limiting prevents API abuse and disk exhaustion.
5. File Malware Protection (Async Scanning)​
- Integrates a streaming ClamAV pipeline running via an async BullMQ worker.
- Scanning MUST NOT block HTTP upload requests.
- If malicious signatures are detected, the file is moved to an isolated quarantine, and the
ContactImportJobis flagged asQUARANTINED.
6. PII Protection & Compliance​
- Log Masking: Winston logger filters and masks raw phone numbers. Only the last 4 digits are visible in traces (e.g.,
+91 ****** 5705). - Audit-Safe Logging: System activity (uploads, imports) is recorded against the user's ID without exposing the internal content of the uploaded files.
Object Storage Strategy​
- Current Lifecycle: The platform utilizes local
/tmp/tenant_id/storage for active upload processing. These files are strictly ephemeral and aggressively purged. - Future Cloud Strategy: The platform will standardize around Google Cloud Platform (GCP). Future long-term object storage will migrate to Google Cloud Storage (GCS).
- Strict Prohibition: Firebase/Firestore is explicitly NOT APPROVED for core transactional backend state, imports, queues, or deduplication logic.