fix(check uploads content): Check that a client upload's extension matches the file contents

[mdial89f]

Purpose

This remediates a finding where a user could upload a file that has an extension that doesn't match its contents; the example was a jpg containing xml with embedded javascript

Linked Issues to Close

Closes https://qmacbis.atlassian.net/browse/OY2-26965

Approach

Please access the ticket above for more information. This PR will deliberately refrain from listing all contents of the ticket in this PR.

This finding calls for a way to verify a file's extension against its contents. We decided the best, and most secure, way to do that is to check it server side. Here's how it works:

• A user drags and drops a file into the application form
• The file's extension is checked against an allowed extension list. If it's a disallowed extension, the UI rejects the file and shows an error message.
• If the file's extension is allowed, the file is accepted.
• On submit, the file is uploaded to S3.
• When the file arrives in S3, an event triggers our file scanning lambda. The role of this lambda is to verify the file is safe, and tag it CLEAN if it is. Until the file is tagged CLEAN, the file is entirely inaccessible to all entities except for the scanner itself.
• The lambda gets the declared extension of the file, or what it says it is. (new)
• The lambda uses the npm file-type package to check the contents of the file (new)
• If the declared extension and the detected content type do not match, the scanner tags the file as EXTMISMATCH and exits; in this scenario, the file continues to be inaccessible (new)
• If we haven't errored out yet, clamav scans the file and tags it clean or not, as it does today.

How to test

We were provided the file that was used in the finding. It is named as a jpg but contains xml embedded with javascript.
As part of testing:

• the specific jpg/xml mentioned above was uploaded, and was flagged EXTMISMATCH as expected. It remained inaccessible
• a .pdf file was renamed to be a .png file. That file was also flagged EXTMISMATCH and remained inaccessible
• a wide array of correctly extensioned files were uploaded, and were marked CLEAN

Assorted Notes/Considerations/Learning

None

[benjaminpaige]

yeah this looks pretty sweet

[pkim-gswell]

Very cool 😎

[pkim-gswell]

Nitpicking here. For naming consistency:

STATUS_EXTENSION_MISMATCH_FILE
STATUS_EXTENSION_UNKNOWN

But that'll also mean changing the env var name too. Completely up to you.
Aside from that, everything looks great

[github-actions]

🎉 This PR is included in version 1.5.0-val.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀