提取文件头签名，因为它直接流式传输到 ASP.NET Core 中的磁盘

Question

I have an API method that streams uploaded files directly to disk to be scanned with a virus checker. Some of these files can be quite large, so IFormFile is a no go:

Any single buffered file exceeding 64 KB is moved from memory to a temp file on disk. Source: https://docs.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads?view=aspnetcore-3.1

I have a working example that uses multipart/form-data and a really nice NuGet package that takes out the headache when working with multipart/form-data , and it works well, however I want to add a file header signature check , to make sure that the file type defined by the client is actually what they say it is. I can't rely on the file extension to do this securely, but I can use the file header signature to make it at least a bit more secure. Since I'm am streaming directly to disk, how can I extract the first bytes as it's going through the file stream?

[DisableFormValueModelBinding] // required for form binding
[ValidateMimeMultipartContent] // simple check to make sure this is a multipart form
[FileUploadOperation(typeof(SwaggerFileItem))] // used to define the Swagger schema
[RequestSizeLimit(31457280)] // 30MB
[RequestFormLimits(MultipartBodyLengthLimit = 31457280)]
public async Task<IActionResult> PostAsync([FromRoute] int customerId)
{
    // place holders
    var uploadLocation = string.Empty;
    var trustedFileNameForDisplay = string.Empty;

    // this is using a nuget package that does the hard work on reading the multipart form-data.... using UploadStream;
    var model = await this.StreamFiles<FileItem>(async x =>
    {
        // never trust the client
        trustedFileNameForDisplay = WebUtility.HtmlEncode(Path.GetFileName(x.FileName));

        // determien the quarantine location
        uploadLocation = GetUploadLocation(trustedFileNameForDisplay);

        // stream the input stream to the file stream
        // importantly this should never load the file into memory
        // it should be a straight pass through to disk
        await using var fs = System.IO.File.Create(uploadLocation, BufSize);
        
        // --> How do I extract the file signature? I.e. a copy of the header bytes as it is being streamed??? <--
        await x.OpenReadStream().CopyToAsync(fs);
    });

    // The model state can now be checked
    if (!ModelState.IsValid)
    {
        // delete the file
        DeleteFileIfExists(uploadLocation);

        // return a bad request
        ThrowProblemDetails(ModelState, StatusCodes.Status400BadRequest);
    }

    // map as much as we can
    var request = _mapper.Map<CreateAttachmentRequest>(model);

    // map the remaining properties
    request.CustomerId = customerId;
    request.UploadServer = Environment.MachineName;
    request.uploadLocation = uploadLocation;
    request.FileName = trustedFileNameForDisplay;

    // call mediator with this request to send it over WCF to Pulse Core.
    var result = await _mediator.Send(request);

    // build response
    var response = new FileResponse { Id = result.FileId, CustomerId = customerId, ExternalId = request.ExternalId };

    // return the 201 with the appropriate response
    return CreatedAtAction(nameof(GetFile), new { fileId = response.Id, customerId = response.customerId }, response);
}

The section I'm stuck on is around the line await x.OpenReadStream().CopyToAsync(fs); . I would like to pull out the file header here as the stream is being copied to the FileStream . Is there a way to add some kind of inspector? I don't want to read the entire stream again , just the header.

Update

Based on the answer given by @Ackdari I have successfully switched the code to extract the header from the uploaded file stream. I don't know if this could be made any more efficient, but it does work:

//...... removed for clarity
var model = await this.StreamFiles<FileItem>(async x =>
{
    trustedFileNameForDisplay = WebUtility.HtmlEncode(Path.GetFileName(x.FileName));
    quarantineLocation = QuarantineLocation(trustedFileNameForDisplay);

    await using (var fs = System.IO.File.Create(quarantineLocation, BufSize))
    {
        await x.OpenReadStream().CopyToAsync(fs);

        fileFormat = await FileHelpers.GetFileFormatFromFileHeader(fs);
    }
});
//...... removed for clarity

and

// using https://github.com/AJMitev/FileTypeChecker
public static async Task<IFileType> GetFileFormatFromFileHeader(FileStream fs)
{
    IFileType fileFormat = null;
    fs.Position = 0;
    var headerData = new byte[40];
    var bytesRead = await fs.ReadAsync(headerData, 0, 40);
    if (bytesRead > 0)
    {
        await using (var ms = new MemoryStream(headerData))
        {
            if (!FileTypeValidator.IsTypeRecognizable(ms))
            {
                return null;
            }

            fileFormat = FileTypeValidator.GetFileType(ms);
        }
    }

    return fileFormat;
}

Answer 1

You may want to consider reading the header yourself dependent on which file type is expected

int n = 4; // length of header

var headerData = new byte[n];
var bytesRead = 0;
while (bytesRead < n)
    bytesRead += await x.ReadAsync(headerData.AsMemory(bytesRead));

CheckHeader(headerData);

await fs.WriteAsync(headerData.AsMemory());

await x.CopyToAsync(fs);