Security Review Pattern for File Upload Endpoints

CATEGORY: TUTORIALS DATE: 2026-01-17

Research by badjuju - Red Orca

#appsec #web #tooling

A practical review sequence for extension filtering, MIME validation, content sniffing, and asynchronous malware scanning.

Summary

File upload features fail in predictable ways. This guide presents a repeatable review pattern that surfaces dangerous parser paths early.

Review Sequence

Map upload entry points and storage destinations.
Test extension allowlist bypasses (.jpg.php, double extensions, Unicode tricks).
Compare declared MIME type, sniffed MIME type, and storage metadata.
Validate post-upload processing jobs for command injection risks.

Minimal Validation Snippet

allowed = {"image/png", "image/jpeg"}
if detected_mime not in allowed:
    raise ValidationError("Unsupported file type")

Always validate content, not just extension strings.