-
v1.0.1
Stablejoaovitoriasilva released this
2026年06月03日 16:27:15 +02:00 | 2 commits to main since this releasev1.0.1 - Bug fixes and dependencies bump
- Fix for _stream_to_temp_file does not seek original UploadFile back to position #3
- Dependencies bump
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
v1.0.0 Stable
joaovitoriasilva released this
2026年03月26日 23:06:56 +01:00 | 9 commits to main since this releasev1.0.0 - First stable release
This is the first stable release of safeuploads, marking the library as production-ready. Since v0.1.2, every layer of the validation pipeline has been significantly expanded, hardened, and documented.
New Features
Activity & Gzip File Validation
- New
validate_activity_filemethod onFileValidatorfor safe processing of GPS/fitness file uploads (GPX, TCX, FIT). - New
validate_gzip_filemethod with decompression-bomb detection viaGzipContentInspector. XmlSecurityValidatorusingdefusedxmlto block XXE, DTD, and entity-expansion attacks in XML-based activity files.
Audit Logging
- Structured audit logging via
SecurityAuditLogger,AuditEvent, andAuditEventType. - Per-request correlation IDs (
log_extrahelpers) to trace events end-to-end. - Configurable via
enable_audit_loggingflag inFileSecurityConfig.
Content Security Inspector
- New
ContentSecurityInspectorfor deep content analysis: malware signature scanning, script/webshell marker detection, and polyglot file detection. - Controlled by
enable_content_analysisandcontent_scan_max_size(default 50 MB) inSecurityLimits. - Wired into
FileValidatorfor image and ZIP content scans when enabled.
Nested ZIP Complexity Checks
- Recursive ZIP inspection with cumulative entry, depth, hash, and timing checks.
- Archive quine and ZIP-of-ZIPs complexity detection.
- New
max_total_entries_recursivelimit inSecurityLimits.
Security Hardening
- Streaming file size enforcement:
FileValidatorreads files in chunks (usingchunk_size) to prevent memory exhaustion whenContent-Lengthis absent. - ZIP inspection tightened: null-byte filename detection, monotonic timer for timeout checks, content scanning regardless of entry size (reads only first 512 bytes), error messages sanitised to avoid leaking internals.
- Compression validator: respects
allow_nested_archivesconfig, monotonic timer for timeouts. - MIME cache hardened: LRU cache reduced (256 → 64) and MIME derived from file extension only, preventing attacker-controlled filename cache bloat.
defusedxmladded as a runtime dependency to prevent XML-based attacks.- dev server binding: FastAPI example bound to
127.0.0.1instead of0.0.0.0.
Performance Improvements
FileSecurityConfignow exposes pre-computedfrozensetcollections for O(1) membership checks.ExtensionSecurityValidator,UnicodeSecurityValidator, andZipContentInspectorcache their lookup sets at initialization time.- LRU-cached
_guess_mime_by_namewrapper avoids repeatedmimetypes.guess_typecalls.
Test Coverage
- Hypothesis-based
fuzztests across config, filenames, images, and ZIP inputs. - Integration test suites for
validate_activity_fileandvalidate_gzip_file. - Expanded edge-case tests for ZIP/gzip/content inspectors and the compression validator.
- Improved test determinism across the full suite.
CI / Infrastructure
- GitHub Actions workflows: lint & test, fuzzing, docs deploy, and PyPI publish.
- Dependabot configuration for automated dependency updates.
CODEOWNERSfile added.pip-auditexport uses--no-emit-projectto avoid false positives.
Documentation
- New security documentation: threat model, architecture overview, and integration checklist.
- README and docs updated to cover all new validators, inspectors, streaming limits, content analysis, and audit logging.
- MkDocs navigation updated to include security docs.
Downloads
-
Source code (ZIP)
1 download
-
Source code (TAR.GZ)
1 download
- New
-
v0.1.2 Stable
joaovitoriasilva released this
2025年10月31日 17:34:56 +01:00 | 26 commits to main since this releasev0.1.2 - Added missing import in init.py
- Added BinaryFileCategory to the list of imported enums in safeuploads/init.py to make it available for external use.
Downloads
-
Source code (ZIP)
1 download
-
Source code (TAR.GZ)
1 download
-
v0.1.1 Stable
joaovitoriasilva released this
2025年10月31日 17:05:42 +01:00 | 28 commits to main since this releasev0.1.1 - Make max files of same type in ZIP configurable and added new BinaryFileCategory enum
- Added max_number_files_same_type to SecurityLimits in config.py and updated zip_inspector.py to use this configurable limit instead of a hardcoded value when checking for excessive files of the same type in ZIP archives
- Introduces the BinaryFileCategory enum to categorize binary file extensions, starting with fitness files (e.g., '.fit'). Updates the ZipContentInspector to skip script content checks for files with extensions in BinaryFileCategory, improving handling of binary files in zip archives
Downloads
-
Source code (ZIP)
1 download
-
Source code (TAR.GZ)
1 download
-
v0.1.0 Stable
joaovitoriasilva released this
2025年10月30日 14:18:14 +01:00 | 30 commits to main since this releasev0.1.0 - Initial release
Features
Security Validation:
- Filename Security: Unicode normalization, directory traversal protection, Windows reserved names blocking
- Extension Validation: Configurable allow/block lists with dangerous extension detection
- ZIP Bomb Protection: Compression ratio limits, nested archive inspection, size constraints
- MIME Type Verification: Magic number validation for common file types
Developer Experience:
- Framework-agnostic async validation (FastAPI, Flask, etc.)
- Rich exception hierarchy with machine-readable error codes
- Zero configuration required - secure defaults out of the box
- Full type hints and async support
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
1 download