I created an image upload api and perform some validations on the uploaded file.
To ensure security, I also asked a white hat to test it out and he send me a testfile which is clearly not an image but still could be uploaded.
I dont really understand why, cause the UploadedFile is clearly showing a different mimeType, so I thought it’s best to ask if this is a bug:
$request = request()->all();
if (!array_key_exists("file", $request))
return response()->json(['message' => 'No file was uploaded.'], 400);
$validator = Validator::make(
$request,
['file' => ['required', 'image', 'mimes:jpeg,png,jpg,gif,webp', 'max:1024']]
);
if ($validator->fails()) {
return response()->json(['message' => $validator->errors()->first()], 422);
}
The Uploaded File Object:’
[2025-02-24 15:37:06] local.INFO: Array
(
[file] => Illuminate\Http\UploadedFile Object
(
[test:Symfony\Component\HttpFoundation\File\UploadedFile:private] =>
[originalName:Symfony\Component\HttpFoundation\File\UploadedFile:private] => test.html
[mimeType:Symfony\Component\HttpFoundation\File\UploadedFile:private] => text/html
[error:Symfony\Component\HttpFoundation\File\UploadedFile:private] => 0
[hashName:protected] =>
[pathName:SplFileInfo:private] => .......\Temp\php8B27.tmp
[fileName:SplFileInfo:private] => php8B27.tmp
)
)
Here’s the testfile as well, saved as a zip:
Also also: The file size check also does not seem to work on this file. If I recurd the size to 1, it still passes.
Let me know if I did anything wrong, missed something or if this is indeed a bug.
Thx ^^