fix: add secondary PDF mimeType validation and tests (#14529)

jessrynkar · web-flow · commit ce479abddc5c · 2025-11-13T14:49:22.000Z
### What? Adds a basic secondary PDF validation step that runs **after** `fileTypeFromBuffer`. ### Why? `fileTypeFromBuffer` is our final mime type check, and currently it will incorrectly identify any file that starts with `%PDF-1.x` as a PDF. We are providing some additional **basic** PDF validation steps. We have opened an [issue](sindresorhus/file-type#780) on the [file-type repo](https://github.com/sindresorhus/file-type) to see if PDF detection can be improved. Update: they said the package is only for a hint detection, they won't support full PDF validation. ### How? Introduces a minimal PDF validation function that inspects the decoded file buffer for required structural elements: - Ensures the file begins with a valid `%PDF-1.` header - Confirms the presence of the required `EOF` marker and `xref` ### Considerations These additional steps will help filter out invalid PDFs but can still be intentionally manipulated. Adding a separate PDF validation library might be necessary if this is something we choose to support. We can revisit it in the future if stronger PDF validation becomes necessary. Fixes [14434](#14434)
diff --git a/packages/payload/src/uploads/checkFileRestrictions.ts b/packages/payload/src/uploads/checkFileRestrictions.ts
@@ -4,6 +4,7 @@ import type { checkFileRestrictionsParams, FileAllowList } from './types.js'
 
 import { ValidationError } from '../errors/index.js'
 import { validateMimeType } from '../utilities/validateMimeType.js'
+import { validatePDF } from '../utilities/validatePDF.js'
 import { detectSvgFromXml } from './detectSvgFromXml.js'
 
 /**
@@ -63,6 +64,14 @@ export const checkFileRestrictions = async ({
       ? (uploadConfig as { allowRestrictedFileTypes?: boolean }).allowRestrictedFileTypes
       : false
 
+  const expectsDetectableType = configMimeTypes.some(
+    (type) =>
+      type.startsWith('image/') ||
+      type === 'application/pdf' ||
+      type.startsWith('video/') ||
+      type.startsWith('audio/'),
+  )
+
   // Skip validation if `allowRestrictedFileTypes` is true
   if (allowRestrictedFileTypes) {
     return
@@ -72,6 +81,10 @@ export const checkFileRestrictions = async ({
   if (configMimeTypes.length > 0) {
     let detected = await fileTypeFromBuffer(file.data)
 
+    if (!detected && expectsDetectableType) {
+      errors.push(`File buffer returned no detectable MIME type.`)
+    }
+
     // Handle SVG files that are detected as XML due to <?xml declarations
     if (
       detected?.mime === 'application/xml' &&
@@ -85,6 +98,13 @@ export const checkFileRestrictions = async ({
 
     const passesMimeTypeCheck = detected?.mime && validateMimeType(detected.mime, configMimeTypes)
 
+    if (passesMimeTypeCheck && detected?.mime === 'application/pdf') {
+      const isValidPDF = validatePDF(file?.data)
+      if (!isValidPDF) {
+        errors.push('Invalid PDF file.')
+      }
+    }
+
     if (detected && !passesMimeTypeCheck) {
       errors.push(`Invalid MIME type: ${detected.mime}.`)
     }
diff --git a/packages/payload/src/utilities/validatePDF.ts b/packages/payload/src/utilities/validatePDF.ts
@@ -0,0 +1,17 @@
+export function validatePDF(buffer: Buffer) {
+  // Check for PDF header
+  const header = buffer.subarray(0, 8).toString('latin1')
+  if (!header.startsWith('%PDF-')) {
+    return false
+  }
+
+  // Check for EOF marker and xref table
+  const endSize = Math.min(1024, buffer.length)
+  const end = buffer.subarray(buffer.length - endSize).toString('latin1')
+
+  if (!end.includes('%%EOF') || !end.includes('xref')) {
+    return false
+  }
+
+  return true
+}
diff --git a/test/uploads/config.ts b/test/uploads/config.ts
@@ -37,9 +37,11 @@ import {
   mediaWithRelationPreviewSlug,
   noRestrictFileMimeTypesSlug,
   noRestrictFileTypesSlug,
+  pdfOnlySlug,
   reduceSlug,
   relationPreviewSlug,
   relationSlug,
+  restrictedMimeTypesSlug,
   restrictFileTypesSlug,
   skipAllowListSafeFetchMediaSlug,
   skipSafeFetchHeaderFilterSlug,
@@ -559,6 +561,22 @@ export default buildConfigWithDefaults({
         mimeTypes: ['text/html'],
       },
     },
+    {
+      slug: pdfOnlySlug,
+      fields: [],
+      upload: {
+        staticDir: path.resolve(dirname, './media'),
+        mimeTypes: ['application/pdf'],
+      },
+    },
+    {
+      slug: restrictedMimeTypesSlug,
+      fields: [],
+      upload: {
+        staticDir: path.resolve(dirname, './media'),
+        mimeTypes: ['image/png'],
+      },
+    },
     {
       slug: animatedTypeMedia,
       fields: [],
diff --git a/test/uploads/createStreamableFile.ts b/test/uploads/createStreamableFile.ts
@@ -8,13 +8,14 @@ import { getMimeType } from './getMimeType.js'
 
 export async function createStreamableFile(
   path: string,
+  typeOverride?: string,
 ): Promise<{ file: File; handle: fs.promises.FileHandle }> {
   const name = basename(path)
   const handle = await open(path)
 
   const { type } = getMimeType(path)
 
-  const file = new File([], name, { type })
+  const file = new File([], name, { type: typeOverride || type })
   file.stream = () => handle.readableWebStream()
 
   const formDataNode = new NodeFormData()
diff --git a/test/uploads/fake-pdf.pdf b/test/uploads/fake-pdf.pdf
diff --git a/test/uploads/int.spec.ts b/test/uploads/int.spec.ts
@@ -25,8 +25,10 @@ import {
   mediaSlug,
   noRestrictFileMimeTypesSlug,
   noRestrictFileTypesSlug,
+  pdfOnlySlug,
   reduceSlug,
   relationSlug,
+  restrictedMimeTypesSlug,
   restrictFileTypesSlug,
   skipAllowListSafeFetchMediaSlug,
   skipSafeFetchHeaderFilterSlug,
@@ -252,6 +254,36 @@ describe('Collections - Uploads', () => {
         // Check api response
         expect(doc.filename).toBeDefined()
       })
+
+      it('should not allow creation of corrupted PDF', async () => {
+        const formData = new FormData()
+        const filePath = path.join(dirname, './fake-pdf.pdf')
+        const { file, handle } = await createStreamableFile(filePath, 'application/pdf')
+        formData.append('file', file)
+
+        const response = await restClient.POST(`/${pdfOnlySlug}`, {
+          body: formData,
+        })
+        await handle.close()
+
+        expect(response.status).toBe(400)
+      })
+
+      it('should not allow invalid mimeType to be created', async () => {
+        const formData = new FormData()
+        const filePath = path.join(dirname, './image.jpg')
+        const { file, handle } = await createStreamableFile(filePath, 'image/png')
+        formData.append('file', file)
+        formData.append('mime', 'image/png')
+        formData.append('contentType', 'image/png')
+
+        const response = await restClient.POST(`/${restrictedMimeTypesSlug}`, {
+          body: formData,
+        })
+        await handle.close()
+
+        expect(response.status).toBe(400)
+      })
     })
     describe('update', () => {
       it('should replace image and delete old files - by ID', async () => {
diff --git a/test/uploads/payload-types.ts b/test/uploads/payload-types.ts
@@ -88,6 +88,8 @@ export interface Config {
     'restrict-file-types': RestrictFileType;
     'no-restrict-file-types': NoRestrictFileType;
     'no-restrict-file-mime-types': NoRestrictFileMimeType;
+    'pdf-only': PdfOnly;
+    'restricted-mime-types': RestrictedMimeType;
     'animated-type-media': AnimatedTypeMedia;
     enlarge: Enlarge;
     'without-enlarge': WithoutEnlarge;
@@ -122,6 +124,7 @@ export interface Config {
     'svg-only': SvgOnly;
     'media-without-delete-access': MediaWithoutDeleteAccess;
     'media-with-image-size-admin-props': MediaWithImageSizeAdminProp;
+    'payload-kv': PayloadKv;
     users: User;
     'payload-locked-documents': PayloadLockedDocument;
     'payload-preferences': PayloadPreference;
@@ -150,6 +153,8 @@ export interface Config {
     'restrict-file-types': RestrictFileTypesSelect<false> | RestrictFileTypesSelect<true>;
     'no-restrict-file-types': NoRestrictFileTypesSelect<false> | NoRestrictFileTypesSelect<true>;
     'no-restrict-file-mime-types': NoRestrictFileMimeTypesSelect<false> | NoRestrictFileMimeTypesSelect<true>;
+    'pdf-only': PdfOnlySelect<false> | PdfOnlySelect<true>;
+    'restricted-mime-types': RestrictedMimeTypesSelect<false> | RestrictedMimeTypesSelect<true>;
     'animated-type-media': AnimatedTypeMediaSelect<false> | AnimatedTypeMediaSelect<true>;
     enlarge: EnlargeSelect<false> | EnlargeSelect<true>;
     'without-enlarge': WithoutEnlargeSelect<false> | WithoutEnlargeSelect<true>;
@@ -184,6 +189,7 @@ export interface Config {
     'svg-only': SvgOnlySelect<false> | SvgOnlySelect<true>;
     'media-without-delete-access': MediaWithoutDeleteAccessSelect<false> | MediaWithoutDeleteAccessSelect<true>;
     'media-with-image-size-admin-props': MediaWithImageSizeAdminPropsSelect<false> | MediaWithImageSizeAdminPropsSelect<true>;
+    'payload-kv': PayloadKvSelect<false> | PayloadKvSelect<true>;
     users: UsersSelect<false> | UsersSelect<true>;
     'payload-locked-documents': PayloadLockedDocumentsSelect<false> | PayloadLockedDocumentsSelect<true>;
     'payload-preferences': PayloadPreferencesSelect<false> | PayloadPreferencesSelect<true>;
@@ -940,6 +946,42 @@ export interface NoRestrictFileMimeType {
   focalX?: number | null;
   focalY?: number | null;
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "pdf-only".
+ */
+export interface PdfOnly {
+  id: string;
+  updatedAt: string;
+  createdAt: string;
+  url?: string | null;
+  thumbnailURL?: string | null;
+  filename?: string | null;
+  mimeType?: string | null;
+  filesize?: number | null;
+  width?: number | null;
+  height?: number | null;
+  focalX?: number | null;
+  focalY?: number | null;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "restricted-mime-types".
+ */
+export interface RestrictedMimeType {
+  id: string;
+  updatedAt: string;
+  createdAt: string;
+  url?: string | null;
+  thumbnailURL?: string | null;
+  filename?: string | null;
+  mimeType?: string | null;
+  filesize?: number | null;
+  width?: number | null;
+  height?: number | null;
+  focalX?: number | null;
+  focalY?: number | null;
+}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "animated-type-media".
@@ -1729,6 +1771,23 @@ export interface MediaWithImageSizeAdminProp {
     };
   };
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-kv".
+ */
+export interface PayloadKv {
+  id: string;
+  key: string;
+  data:
+    | {
+        [k: string]: unknown;
+      }
+    | unknown[]
+    | string
+    | number
+    | boolean
+    | null;
+}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "users".
@@ -1844,6 +1903,14 @@ export interface PayloadLockedDocument {
         relationTo: 'no-restrict-file-mime-types';
         value: string | NoRestrictFileMimeType;
       } | null)
+    | ({
+        relationTo: 'pdf-only';
+        value: string | PdfOnly;
+      } | null)
+    | ({
+        relationTo: 'restricted-mime-types';
+        value: string | RestrictedMimeType;
+      } | null)
     | ({
         relationTo: 'animated-type-media';
         value: string | AnimatedTypeMedia;
@@ -2775,6 +2842,40 @@ export interface NoRestrictFileMimeTypesSelect<T extends boolean = true> {
   focalX?: T;
   focalY?: T;
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "pdf-only_select".
+ */
+export interface PdfOnlySelect<T extends boolean = true> {
+  updatedAt?: T;
+  createdAt?: T;
+  url?: T;
+  thumbnailURL?: T;
+  filename?: T;
+  mimeType?: T;
+  filesize?: T;
+  width?: T;
+  height?: T;
+  focalX?: T;
+  focalY?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "restricted-mime-types_select".
+ */
+export interface RestrictedMimeTypesSelect<T extends boolean = true> {
+  updatedAt?: T;
+  createdAt?: T;
+  url?: T;
+  thumbnailURL?: T;
+  filename?: T;
+  mimeType?: T;
+  filesize?: T;
+  width?: T;
+  height?: T;
+  focalX?: T;
+  focalY?: T;
+}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "animated-type-media_select".
@@ -3614,6 +3715,14 @@ export interface MediaWithImageSizeAdminPropsSelect<T extends boolean = true> {
             };
       };
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-kv_select".
+ */
+export interface PayloadKvSelect<T extends boolean = true> {
+  key?: T;
+  data?: T;
+}
 /**
  * This interface was referenced by `Config`'s JSON-Schema
  * via the `definition` "users_select".
@@ -3678,6 +3787,6 @@ export interface Auth {
 
 
 declare module 'payload' {
-  // @ts-ignore 
+  // @ts-ignore
   export interface GeneratedTypes extends Config {}
-}
+}
diff --git a/test/uploads/shared.ts b/test/uploads/shared.ts
@@ -36,6 +36,8 @@ export const listViewPreviewSlug = 'list-view-preview'
 export const threeDimensionalSlug = 'three-dimensional'
 export const constructorOptionsSlug = 'constructor-options'
 export const bulkUploadsSlug = 'bulk-uploads'
+export const restrictedMimeTypesSlug = 'restricted-mime-types'
+export const pdfOnlySlug = 'pdf-only'
 
 export const fileMimeTypeSlug = 'file-mime-type'
 export const svgOnlySlug = 'svg-only'
