Skip to content

Derived file upload content type from extension instead of client#26751

Merged
kevinansfield merged 1 commit intomainfrom
file-upload-content-type
Mar 10, 2026
Merged

Derived file upload content type from extension instead of client#26751
kevinansfield merged 1 commit intomainfrom
file-upload-content-type

Conversation

@kevinansfield
Copy link
Copy Markdown
Member

@kevinansfield kevinansfield commented Mar 10, 2026

The /files/upload endpoint now determines the MIME type from the
file extension server-side rather than trusting the client-provided
value, preventing content type spoofing on S3/GCS storage backends.

@kevinansfield
Derived file upload content type from extension instead of client
6da0e97 
The /files/upload endpoint now determines the MIME type from the
file extension server-side rather than trusting the client-provided
value, preventing content type spoofing on S3/GCS storage backends.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 10, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3e8ea202-68e8-4c0d-b044-ca7eb68ee643

📥 Commits

Reviewing files that changed from the base of the PR and between 292bdc3 and 6da0e97.

📒 Files selected for processing (2)
  • ghost/core/core/server/api/endpoints/files.js
  • ghost/core/test/e2e-api/admin/files.test.js

Walkthrough

The pull request modifies how file MIME types are determined when uploading files. The implementation change in files.js replaces reliance on client-provided MIME types with filename-based detection using the mime-types library, falling back to application/octet-stream if detection fails. A corresponding end-to-end test is added to verify that files uploaded with incorrect MIME types have their content type correctly derived from the file extension instead.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: deriving file upload content type from extension instead of trusting the client-provided value.
Description check ✅ Passed The description is directly related to the changeset, explaining the security rationale for determining MIME type server-side from file extensions instead of client-provided values.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch file-upload-content-type

Comment @coderabbitai help to get the list of available commands and usage tips.

@kevinansfield kevinansfield enabled auto-merge (squash) March 10, 2026 11:47
@kevinansfield kevinansfield merged commit d659e75 into main Mar 10, 2026
31 checks passed
@kevinansfield kevinansfield deleted the file-upload-content-type branch March 10, 2026 12:13
peterzimon pushed a commit that referenced this pull request Mar 10, 2026
@kevinansfield @peterzimon
Derived file upload content type from extension instead of client (#2…
c2fc305 
…6751)

ref https://linear.app/ghost/issue/ONC-1525/

The /files/upload endpoint now determines the MIME type from the
file extension server-side rather than trusting the client-provided
value, preventing content type spoofing on S3/GCS storage backends.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kevinansfield