Use Magika to determine if a file is corrupted or not #4

Merged
fzorb merged 8 commits from magika into master 2026-06-22 10:34:59 +00:00
Owner

Before, we were using fleep to filter files based on file signatures, however, this has caused many issues. As such, this PR replaces fleep with Magika.

Performance overhead seems to be negligible. Sure it may use a bit more CPU and stuff but not by a lot.

This opens many options to potentially allow more files to be uploaded by guests.

Before, we were using `fleep` to filter files based on file signatures, however, this has caused many issues. As such, this PR replaces `fleep` with Magika. Performance overhead seems to be negligible. Sure it may use a bit more CPU and stuff but not by a lot. This opens many options to potentially allow more files to be uploaded by guests.
@ -119,0 +118,4 @@
file_buffer = io.BytesIO(f.read())
file_buffer.seek(0)
magika_file = Magika().identify_stream(file_buffer)
print(magika_file.output)
Contributor

remove print in prod

remove print in prod
Contributor

Looks good. I would suggest adding a fallback to fleep, but if Magika uses little CPU, it's not worth the effort. I'm curious to know if there are any legitimate reasons for uploading files whose content doesn't match the extension, because this case is currently blocked.
I only reviewed the server code. Someone else should check client JS before merging.

Looks good. I would suggest adding a fallback to fleep, but if Magika uses little CPU, it's not worth the effort. I'm curious to know if there are any legitimate reasons for uploading files whose content doesn't match the extension, because this case is currently blocked. I only reviewed the server code. Someone else should check client JS before merging.
Author
Owner

@edward wrote in #4 (comment):

I'm curious to know if there are any legitimate reasons for uploading files whose content doesn't match the extension, because this case is currently blocked.

Someone could upload malicious files “disguised” as PNGs.

@edward wrote in https://git.lethal.horse/16px.eu/fukkireta/pulls/4#issuecomment-22: > I'm curious to know if there are any legitimate reasons for uploading files whose content doesn't match the extension, because this case is currently blocked. Someone could upload malicious files “disguised” as PNGs.
@ -119,0 +119,4 @@
file_buffer.seek(0)
magika_file = Magika().identify_stream(file_buffer)
print(magika_file.output)
if normalized_ext not in magika_file.output.extensions:
Contributor

add if magika_file.ok somewhere before using the output to handle the failure case

add `if magika_file.ok` somewhere before using the output to handle the failure case
Author
Owner

@edward wrote in #4 (comment):

I only reviewed the server code. Someone else should check client JS before merging.

All it changes is the fact that now it tells you directly via an alert() what went wrong. It was supposed to be commited on master but unfortunately I messed up and it got included in this PR 😛

@edward wrote in https://git.lethal.horse/16px.eu/fukkireta/pulls/4#issuecomment-22: > I only reviewed the server code. Someone else should check client JS before merging. All it changes is the fact that now it tells you directly via an `alert()` what went wrong. It was supposed to be commited on `master` but unfortunately I messed up and it got included in this PR 😛
Author
Owner

Everything seems to be alright all things considered, self-merging.

Everything seems to be alright all things considered, self-merging.
fzorb merged commit 5dad4d2131 into master 2026-06-22 10:34:59 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
16px.eu/fukkireta!4
No description provided.