storage icon indicating copy to clipboard operation
storage copied to clipboard
verified publisher icon supabase

mime-type does not check uploaded files, only the filename

Open flogesell opened this issue 1 year ago • 6 comments

Bug report

  • [X] I confirm this is a bug with Supabase, not with my own application.
  • [X] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I restricted my file uploads to image/jpeg, image/png, image/jpg and uploaded a renamed gif with name image.jpg. The image was uploaded succcessfully. It looks like the upload doesn't check the uploaded file for the mime type, only the filename of the input file.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Postman curl request: curl --location --globoff 'https://{supabaseInstanceUrl}/storage/v1/object/{storageContainer}/{fileNameWithFileExtension}' \ --header 'Host: HostName' \ --header 'x-upsert: false' \ --header 'Accept: */*' \ --header 'Authorization: Bearer TOKEN' \ --header 'Accept-Language: en-GB,en;q=0.9' \ --header 'Cache-Control: max-age=3600' \ --header 'apikey: APIKEY' \ --header 'x-client-info: supabase-js-react-native/2.43.4' \ --header 'User-Agent: {AppName}/1 CFNetwork/1490.0.4 Darwin/23.2.0' \ --header 'Connection: keep-alive' \ --header 'Content-Type: image/gif' \ --form '=@"/Users/user/Downloads/gif.gif"'

Expected behavior

It should throw an 415 invalid_mime_type error. Because the uploaded file internal mime type was not included in allowed mimetypes

Screenshots

image image

https://youtu.be/PJrQTvjzE5A

System information

  • OS: maCOS
  • Browser N/A
  • Version of supabase-js: N/A
  • Version of Node.js: N/A

flogesell avatar Jun 09 '24 09:06 flogesell

As I explore, Now we only check the mime-type of file. It can spoofed. I think we need to update it on Storage repository to verify the MIME types and signatures of files.

https://github.com/supabase/storage/blob/master/src/storage/uploader.ts#L86

siraom15 avatar Jun 11 '24 03:06 siraom15

Hi, i'm interested in contributing to this!

sephialaureenciaa avatar Aug 06 '24 16:08 sephialaureenciaa

Hi @sephialaureenciaa - feel free to open a PR!

Hallidayo avatar Sep 09 '24 19:09 Hallidayo

Just to confirm, I should make the changes in the storage repo right?

sephialaureenciaa avatar Sep 19 '24 17:09 sephialaureenciaa

Hi, I've moved this issue over from the supabase repo as its related to storage.

Hallidayo avatar Mar 05 '25 21:03 Hallidayo

I can confirm that I see similar errors for media files. All of these are working for other providers, such as MinIO.

Note that of the observed errors are thrown in my codebase, but since they work for other providers, I assume they are related to the same underlying issue.

File Type Error Reason
HEIC Invalid file structure: No 'ftyp' box at the beginning of the file
JPEG MIME type validation error: Only certain image types are supported
MSG Invalid file structure: Not an OLE2 structured storage file
PPT Variable access error: Cannot access local variable 'ole'
TIFF MIME type validation error: Only certain image types are supported
P7S Invalid S/MIME structure: Does not contain a valid signed message
PNG MIME type validation error: Only certain image types are supported
JPG MIME type validation error: Only certain image types are supported
JSON Invalid JSON format: Extra data detected in line 2 column 1
XLS Corrupt or unsupported format: Expected BOF record not found
DOC Variable access error: Cannot access local variable 'ole'

NolanTrem avatar May 02 '25 19:05 NolanTrem