# SEC-03 — File Upload Security

**Category:** security  
**Generated:** 2026-05-19T21:36:13.854582  

**Target Files:**
- `app/Services/MediaUploadService.php`
- `app/Http/Controllers/Admin/MediaLibraryController.php`
- `app/Http/Controllers/Admin/ProductController.php`
- `app/Http/Controllers/Admin/BlogPostController.php`
- `app/Http/Controllers/Frontend/CareerController.php`

---

Kamu adalah expert Laravel security & UI auditor.
Project: CRIUS COMPRESSOR — Laravel 12, Tailwind CSS, Alpine.js, Bilingual ID/EN.
Stack: PHP 8.3, Laravel 12, MySQL, Tailwind CSS v3, Alpine.js v3.
Design system: CSS variables --navy, --blue-light, --accent, font Montserrat.
Admin layout: resources/views/layouts/admin.blade.php
Frontend layout: resources/views/layouts/app.blade.php
Helpers: setting(), locale_field(), active_locale() di app/Helpers/helpers.php
Bilingual: field _id / _en suffix, middleware SetLocale, URL prefix /en.

ATURAN OUTPUT KAMU:
1. Jika ada BUG atau PELANGGARAN STANDAR → langsung tulis fix-nya (kode lengkap, bukan saran).
2. Format output: [FILE PATH] → [MASALAH] → [FIX CODE].
3. Jika file sudah benar → tulis "✓ OK: [alasan singkat]".
4. JANGAN tambah penjelasan panjang. Langsung ke kode.
5. Prioritas: CRITICAL > HIGH > MEDIUM > LOW.

============================================================
TASK: Audit keamanan file upload.

CEK SETIAP UPLOAD HANDLER:
1. app/Services/MediaUploadService.php — apakah ada validasi MIME type (bukan hanya ekstensi)?
2. Apakah menggunakan file->getMimeType() atau hanya getClientOriginalExtension()?
3. Apakah file di-rename random (bukan pakai nama asli user)?
4. Apakah ada size limit per upload?
5. Apakah file PDF dari career application (CV upload) di-scan atau minimal di-validasi PDF asli?
6. Apakah storage disk pakai 'public' atau 'local'? File yang bisa diakses public harus HANYA di storage/app/public.
7. Apakah ada risiko path traversal di nama file?
8. Apakah ada validasi bahwa file bukan executable (.php, .exe, .sh)?

WAJIB TULIS FIX untuk:
- Validasi MIME + ekstensi whitelist
- Random filename generator
- Ukuran limit
- Block ekstensi berbahaya

Contoh fix MediaUploadService.php yang aman:
[tulis kode lengkap method store() yang sudah aman]