Improper MIME Type Validation Based on File Extensions

[ratnaraj7]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The current implementation of the validateMimeType function validates MIME types solely based on file extensions. This allows users to bypass restrictions by renaming files (e.g., uploading a .pdf as video.mp4), leading to unexpected behavior.

To Reproduce

1. Rename a .pdf file to have a .mp4 extension.
2. Upload the renamed file.
3. Observe that the upload is successful despite the file being a PDF.

Expected behavior

The upload should fail with an invalid MIME type error since the actual file content does not match the allowed types.

Screenshots

N/A

System information

N/A

Additional context

Proposed Solution:

Update the validateMimeType function to detect the MIME type using the magic number with libraries like file-type, though file-type does not support detecting all kinds of file types.

For more context, see GitHub issue #27120.