Skip to content
This repository was archived by the owner on Jun 29, 2026. It is now read-only.
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions src/features/workspaces/model/workspace-file/policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -261,12 +261,6 @@ export function resolveWorkspaceFileContentType(input: {
descriptor: WorkspaceFileTypeDescriptor;
fileName: string;
}) {
const normalizedContentType = input.contentType?.trim();

if (normalizedContentType) {
return normalizedContentType;
}

return (
resolveMatchedUploadFormat(input, input.descriptor)?.mime ??

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop honoring spoofed allowlisted MIME values

In the upload route, validation accepts either the filename or the multipart MIME and then passes the raw file.type through to this resolver. Because this call still delegates to resolveMatchedUploadFormat, which checks MIME before extension, a client can upload photo.png with Content-Type: image/jpeg and we will store image/jpeg and choose a .jpg shell path based on the header rather than the accepted .png filename. That leaves uploaded MIME choice attacker-controlled among allowlisted values, so the canonicalization does not fully remove spoofed Content-Type persistence.

Useful? React with 👍 / 👎.

input.descriptor.extensions[0]?.mime ??
Expand Down