Enhance File Upload Security with Virus Scanning

[100NikhilBro]

Enhance File Upload Security with Virus Scanning

Overview

Currently, our file upload functionality uses Multer to validate file type and size.
While this is a good first step, it does not scan files for malware or viruses, which poses a security risk, especially in an open-source project running in production.

This improvement suggests adding a virus scanning layer to ensure uploaded files are safe before they are stored in Cloudinary or any persistent storage.

---

Why This is Important

• Production Safety: Open-source projects are exposed to malicious file uploads that can compromise server or users.
• Often Ignored: Many developers implement only type/size checks, missing the malware scanning step.
• Best Practice: Ensuring files are virus-free is critical for any application handling user uploads.

⚠️ Ignoring this can lead to serious security vulnerabilities.

---

Proposed Approach

1. Multer Validation
   • Check file type (jpeg, png, pdf) and size (5MB limit).
2. Virus Scanning
   • Option 1: ClamScan
     • Pros: Fully local, multiple virus definitions.
     • Cons: Requires ClamAV engine/daemon, setup, virus definitions, temp files, and cleanup → complex for production.
   • Option 2: VirusTotal API (Chosen Approach) ✅
     • Pros:
       • Engine-free → no server-level installation required
       • Multiple antivirus engines scan files → high detection coverage
       • Easy to integrate as middleware
     • Cons:
       • Free tier file size and rate limits
       • Slight latency for API response
       • Files sent to external server (privacy concern)

Decision: Chose VirusTotal API for a fast, simple, secure production setup without extra engine dependencies.

3. Middleware Implementation
   • Temporarily store uploaded file
   • Call VirusTotal API to scan file
   • If clean → upload to Cloudinary
   • If infected → reject upload and send error response
   • Cleanup temporary file after scan or upload

---

Optional Improvements

• Use UUID for temporary filenames to avoid collisions
• Async queue for multiple uploads to handle VirusTotal API rate limits
• Periodic logging for auditing scanned files

---

Acceptance Criteria

• Uploaded files are scanned for viruses before Cloudinary upload
• Malicious files are rejected with proper error message
• System works without breaking existing functionality
• Middleware is reusable and production-safe

---

Conclusion

This is a critical security improvement that is often overlooked but cannot be ignored in production.
We have opted for a simple, fast, engine-free solution using VirusTotal API, ensuring high security with minimal setup overhead.

[github-actions]

Thank you for creating this issue! We'll look into it as soon as possible. Your contributions are highly appreciated! 😊
For further communication, join our discord server https://discord.gg/tSqtvHUJzE.

[100NikhilBro]

@Avdhesh-Varshney Bro, could you please add the appropriate label .

[Avdhesh-Varshney]

Hi @100NikhilBro, FE will be handle the file size and What's need to be upload on cloudinary.
And leave the scanning and other security issues.
Right now, BE is stable. If you want, start working on new features development or stabilization of FE.

[100NikhilBro]

@Avdhesh-Varshney Got it, bro 👍 The backend is stable now, so I’ll start focusing on new feature development and frontend stabilization.