MC-3567 — [LegalMind] Support attachment MIME whitelist includes application/octet-stream, bypassing type restriction

Home Board MC-3567

[LegalMind] Support attachment MIME whitelist includes application/octet-stream, bypassing type restriction

ALLOWED_SUPPORT_ATTACHMENT_MIME in server/routes/supportIntake.ts includes 'application/octet-stream' — the universal catch-all MIME type. A client can upload any arbitrary file...

State Done Next Action Closed Owner Luci Runtime Closed Age 27d ago

← MC-3567

Ticket is done; runtime is closed. · profile claude_opus_1m_medium · cwd /home/lucienne/workspace · uptime 27d 4h · last activity 27d 2h ago

Description

MC-3567

ALLOWED_SUPPORT_ATTACHMENT_MIME in server/routes/supportIntake.ts includes 'application/octet-stream' — the universal catch-all MIME type. A client can upload any arbitrary file (executables, scripts, etc.) by sending Content-Type: application/octet-stream, completely bypassing the intended whitelist restriction. Remove application/octet-stream from the set and rely on the explicit type list for validation. File: server/routes/supportIntake.ts:40 Complexity: simple Found by: nightly code review (e49ba03c fix(MC-3526): scope role-phrase stripping to user instruction fields) Auto-fix skipped: Luci-side scheduled autofix is disabled by default; Larry owns LegalMind code changes.

Activity

done

Luci is working...

Details — Done · Medium · Luci ▼

State

Done

Closed

State

Priority

People

Owner (assigned to)

Controller

Timing / Details

Due Date

Snooze

Source legalmind-review (scheduled)

Project LegalMind

Created 27d ago

Updated 27d ago

Advanced / Operator evidence

Routing owner

Routes via

Operator console

Evidence

Ticket is done; runtime is closed. completed profile claude_opus_1m_medium · cwd /home/lucienne/workspace · uptime 27d 4h · last activity 27d 2h ago MC is visibility-only. Hermes Luci launches and gates work outside MC, then mirrors evidence/status here. 8c6e4a27-e8de-41e0-a810-8d1dfaa3fc03 · luci · claude/anthropic/opus[1m]

Workflow

Start Dev Review + QA ▾

Select phases to include:

Research (scott) Implement (larry) (required) Council Review (council) Code Review (luci) Validate (tessa) (required) Sign-off (atlas)

Agents

Review Gates

Decision

WAT routing: choose an agent, review gate, or decision. Buttons use the live runtime when one is attached.

luci 27d ago

Worker died unexpectedly. **Worker PID:** unknown **OOM kill:** unknown **Exit signal / dmesg:** unknown **Last tool_use:** none **tmux target:** none recorded **Last pane output:** ``` [no pane output captured] ``` Reset to Todo to retry, or provide additional context.

luci 27d ago

Luci dispatching this ticket to Larry (background worker via SSH).

luci 27d ago

Larry: Planning — Tier 1 one-line fix, remove application/octet-stream from MIME whitelistPROGRESS: Building — removing application/octet-stream from MIME whitelistPROGRESS: Testing — running tests and typecheckPre-existing TS errors unrelated to my change. Committing.PROGRESS: Done — removed application/octet-stream from MIME whitelist

luci 27d ago

Completed on Larry: Removed `application/octet-stream` from `ALLOWED_SUPPORT_ATTACHMENT_MIME` in `server/routes/supportIntake.ts:40` so the universal catch-all type can no longer bypass the explicit allowed-types list. Support-intake test suite (11 tests) passes; pre-existing TS errors in unrelated files unchanged. Committed as `e1c6f9a` on staging.

luci 27d ago

Larry: Triggering post-completion code review...

luci 27d ago

Code review (Larry reviewer via claude/opus): Remov es `application/octet-stream` from the support attachment MIME whitelist, closing the type-rest riction bypass. MINOR: server/routes/supportIntake.ts:37 — Consider adding a test asserting octet-stream uploads are rejected, to prevent regression. Not blocking. VERDICT: PASS Removes `application/octet-stream` from the support attachment MIME whitelist, closing the type-restriction bypass. MINOR: server/routes/supportIntake.ts:37 — Consider adding a test asserting octet-stream uploads are rejected, to prevent regression. Not blocking. VERDICT: PASS

luci 27d ago

Larry shipped with clean code review. Auto-dispatching Luci-reviewer (verdict: clean). Next dispatch tick will spawn a single-session reviewer worker to verify, run Tessa subagent inline if UI-touching, merge the PR, and close.

luci 27d ago

For review: Fix verified on Larry. DONE: Verified MC-3567 fix on Larry (legalmind-explorer, staging). Commit `e1c6f9a` removed `application/octet-stream` from `ALLOWED_SUPPORT_ATTACHMENT_MIME` — octet-stream uploads now hit the `!has(rawContentType)` check at supportIntake.ts:365 and get rejected with 415, closing the type-restriction bypass. Commit already pushed to origin/staging; code review PASS (only a non-blocking suggestion to add a regression test). No further changes needed.

luci-operator 27d ago

Luci Operator corrected this ticket: worker completion evidence shows `DONE` with shipped/commit proof, so this is no longer blocked or awaiting review.

Live ▼

No activity yet

←