Download the PHP package abdian/laravel-upload-guard without Composer

On this page you can find all versions of the php package abdian/laravel-upload-guard. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-upload-guard

# πŸ›‘οΈ Laravel Upload Guard **Fail-closed file-upload validation for Laravel.** A defense-in-depth layer that detects and blocks common malicious uploads β€” polyglot web shells, malicious PDFs & SVGs, zip bombs, Office macros, and spoofed MIME types β€” using structural parsing and content sanitization, not just regex. *Not an antivirus, and not a sole security boundary β€” see [Limitations](#limitations--not-a-security-boundary).* [![Latest Version](https://img.shields.io/packagist/v/abdian/laravel-upload-guard.svg?style=flat-square)](https://packagist.org/packages/abdian/laravel-upload-guard) [![Total Downloads](https://img.shields.io/packagist/dt/abdian/laravel-upload-guard.svg?style=flat-square)](https://packagist.org/packages/abdian/laravel-upload-guard) [![Tests](https://img.shields.io/github/actions/workflow/status/abdian/laravel-upload-guard/tests.yml?branch=main&label=tests&style=flat-square)](https://github.com/abdian/laravel-upload-guard/actions/workflows/tests.yml) [![PHP Version](https://img.shields.io/packagist/php-v/abdian/laravel-upload-guard.svg?style=flat-square)](https://packagist.org/packages/abdian/laravel-upload-guard) [![License](https://img.shields.io/packagist/l/abdian/laravel-upload-guard.svg?style=flat-square)](LICENSE)

Why?

Laravel's built-in mimes / mimetypes rules trust the client-declared type and a coarse extension map. An attacker can upload shell.php renamed to avatar.jpg, a real JPEG with PHP appended after the image data (a polyglot web shell), an SVG carrying <script>, a PDF with an auto-run /JavaScript action, or a 42 KB zip that expands to petabytes. None of those are caught by extension checks.

Upload Guard inspects the actual bytes β€” magic structure, decoded PDF/zip streams, sanitized SVG/Office internals β€” and blocks anything it cannot prove is safe.

πŸ”’ Design principle: fail closed

When the package cannot be sure a file is safe, it blocks the upload. Unknown content types, unparsable containers, and scanner exceptions all resolve to reject β€” never to allow. Stricter than lax validators by design. It raises the bar a lot, but content scanning is best-effort β€” pair it with the operational hardening steps below.


Threat coverage

Threat How Upload Guard handles it
🐚 Polyglot web shells (PHP in JPEG / PDF / ZIP) Always-on code scan on every upload, regardless of detected type
🎭 Spoofed MIME / double extension Structural byte detection + strict extension ↔ content matching
πŸ–ΌοΈ Malicious SVG (XSS / XXE) Allowlist sanitization; DOCTYPE/entity/script stripping; stored clean
πŸ“„ Malicious PDF (/JavaScript, /OpenAction, /Launch) Decode-before-scan, indirect-/Filter resolution, bounded inflation
πŸ’£ Zip bombs & zip-slip Global actual-bytes cap across nested archives; traversal / symlink / NTFS-ADS rejection
πŸ“Ž Office macros + macro-less RCE OOXML and legacy OLE/CFB; VBA, ActiveX, DDE/DDEAUTO, remote attachedTemplate
🧨 Image decompression bombs Header pixel/byte cap before any decode; optional re-encode to strip payloads
🌊 Upload DoS Hard size caps + optional per-IP rate limiting + opt-in forensic quarantine

Table of contents


Installation

The service provider is auto-discovered. Publish the (fully commented) config to tune behavior:

Requirements

PHP 8.1 Β· 8.2 Β· 8.3 Β· 8.4 Β· 8.5
Laravel 10 Β· 11 Β· 12 Β· 13
Required extensions fileinfo, zip, dom, libxml
Optional extensions exif (EXIF inspection/stripping) Β· gd or imagick (image re-encode mode)

Optional extensions degrade gracefully β€” the package installs and runs without them.


Quick start

The single safeguard rule runs β€” by default, no fluent calls required:

βœ… structural MIME detection + dangerous-type blocking  Β·  βœ… strict extension/content matching  Β·  βœ… always-on code scanning  Β·  βœ… SVG sanitization  Β·  βœ… image & PDF scanning  Β·  βœ… archive and Office-macro scanning.


Usage

With Laravel's mimes rule

safeguard reads the allowed extensions and enforces that the file's real content type matches them.

Fluent configuration

Individual rules

Compose only the scanners you need:

Rule Description
safeguard All-in-one, fail-closed pipeline
safeguard_mime:type1,type2 Real content-type allowlist (+ dangerous-type block)
safeguard_php Always-on PHP/script code scan
safeguard_svg Allowlist SVG sanitization
safeguard_image Image bomb / metadata / byte / trailing-data scan
safeguard_pdf Decode-before-scan PDF analysis
safeguard_archive Streaming archive inspection (zip/tar/gz)
safeguard_office OOXML + legacy OLE macro / DDE / template detection
safeguard_dimensions:maxW,maxH,minW,minH Image dimension limits
safeguard_pages:min,max PDF page-count limits

Note on safeguard_archive string params: parameters are added to the block list (e.g. safeguard_archive:iso,bin also blocks .iso/.bin). To allow an otherwise-blocked extension, use the fluent rule: (new SafeguardArchive)->allow(['sh']).


Fluent API reference

All methods on Abdian\UploadGuard\Rules\Safeguard return $this (chainable).

Method Effect
allowedMimes(array $mimes) Restrict to a real-content-type allowlist ('image/*' wildcards supported)
imagesOnly() / pdfsOnly() / documentsOnly() / archivesOnly() Restrict to a file family
maxDimensions(int $w, int $h) / minDimensions(int $w, int $h) Image dimension bounds
dimensions(int $minW, int $minH, int $maxW, int $maxH) All four bounds at once
maxPages(int) / minPages(int) / pages(int $min, int $max) PDF page-count bounds
blockGps() Reject images that contain GPS/EXIF location data
stripMetadata() Strip metadata from images
blockJavaScript() Reject PDFs containing JavaScript
blockExternalLinks() Reject PDFs containing external links
strictExtensionMatching(bool = true) Force/disable extension ↔ content matching
scanArchives(bool = true) Toggle archive scanning (on by default)
blockMacros(bool = true) / allowMacros() Toggle Office-macro blocking (on by default)

Configuration

The published config/safeguard.php is fully commented; highlights:

Every key is also overridable via environment variables (e.g. SAFEGUARD_ARCHIVE_SCAN, SAFEGUARD_SVG_MODE, SAFEGUARD_IMAGE_REENCODE).


How it works

Always-on code scanning Every upload is scanned for PHP/script openers (``, `<%`, `__halt_compiler`) **regardless of detected type** β€” a valid image/PDF/ZIP header never exempts a file, so polyglot web shells appended after a magic header are caught. The dangerous-function layer only triggers inside real PHP regions, so `.js`/`.py`/`.csv` text never false-positives.
Structural MIME detection Classifies by byte structure (β‰₯512-byte header window), disambiguates OLE/ftyp/RIFF/ZIP families (real `.xls` β†’ Excel, JAR/APK detected), validates short signatures, and returns *untrusted* (`null`) for unknown content β€” never "binary safe".
SVG sanitization SVGs run through an allowlist sanitizer and the **cleaned output is stored**. Unquoted handlers, encoded `javascript:` URIs, `