Validate and scope S3 presigned URL generation to prevent path traversal and over-broad access

[mikewheeleer]

Harden S3 presigned URL generation

Description

The storage service in src/services/storage.js generates presigned upload/download URLs with MIME allowlisting, size limits, tenant scoping, and path-traversal prevention, consumed by the invoice file routes in src/routes/invoiceFile.js. This issue tightens object-key construction and expiry bounds so a caller cannot escape their tenant prefix or request an excessive URL lifetime.

Requirements and context

• Repository scope: Liquifact/Liquifact-backend only.
• Enforce that every object key is rooted under the caller's tenantId prefix and reject keys containing .., absolute paths, or path separators after normalization.
• Clamp upload/download expiry to the documented bounds (DEFAULT_UPLOAD_URL_EXPIRY_SEC, MAX_DOWNLOAD_URL_EXPIRY_SEC) and reject out-of-range requests.
• Re-validate MIME against ALLOWED_MIME_TYPES server-side, never trusting client-supplied content type alone.
• Ensure presigned URLs are never logged in full.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/storage-24-presigned-url-scoping
• Implement changes
  • Write code in: src/services/storage.js and src/routes/invoiceFile.js.
  • Write comprehensive tests in: tests/sme.upload.test.js.
  • Add documentation: document key scoping and expiry limits in README.md.
  • Add JSDoc on key construction and validation.
  • Validate security: no path traversal, no cross-tenant key, bounded expiry, MIME re-validation.
• Test and commit

Test and commit

• Run npm test and npm run lint.
• Cover edge cases: traversal attempt, cross-tenant key, over-limit expiry, disallowed MIME, valid request.
• Include the full npm test output and a short security-notes section in the PR description.

Example commit message

fix(security): scope presigned S3 keys to tenant and clamp URL expiry

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the Liquifact community on Discord for questions, reviews, and faster merges: https://discord.gg/JrGPH4V3
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

[HademiData]

@HademiData has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello Liquifact Team,

With my background in backend engineering, API security, and cloud infrastructure, I reviewed this issue and understand the importance of strengthening the S3 presigned URL workflow to prevent path traversal, cross-tenant access, and overly permissive URL generation.

For this contribution, I will harden the object-key generation logic to ensure every key is strictly scoped to the authenticated tenant’s prefix and reject traversal patterns such as .., absolute paths, or invalid normalized paths. I will enforce expiry bounds for upload and download URLs, revalidate MIME types server-side against the approved allowlist, and ensure presigned URLs are never exposed in application logs. In addition, I will add comprehensive test coverage for traversal attempts, cross-tenant access, invalid MIME types, expiry violations, and valid upload/download scenarios. I will also update the documentation and add JSDoc comments describing the security model, validation flow, and operational limits.

I am a strong fit for this task because I have experience working with backend services, cloud storage systems, Docker-based deployments, and security-focused API design. I understand the importance of defense-in-depth controls when exposing storage operations to end users and how to validate access boundaries without compromising usability.

My goal is to deliver a well-tested, production-ready implementation that improves tenant isolation, strengthens storage security, and aligns the presigned URL workflow with secure-by-default practices.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @HademiData to this issue.

[drips-wave]

Congratulations, @HademiData! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @HademiData: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊