fix: improves upload security for PDFs and SVGs (#14929)

#### What?
Improves upload security by closing validation gaps for `PDF` and `SVG`
files, preventing malicious files from bypassing MIME type restrictions.

#### Why?

- **PDFs**: Corrupted PDFs with a manipulated content type could bypass
detection when no `fileTypeFromBuffer` was undefined, allowing
unauthorized file types pass.

- **SVGs**: SVGs can contain malicious scripts that execute when
rendered, currently we do not check the SVG for anything potentially
harmful

#### How?
- Added extension validation: If the PDF returns no buffer, we have an
additional check on the `ext` which closes the validation gap
- Added SVG sanitization: New `validateSvg` utility checks for attack
elements including scripts, event handlers, foreign objects, iframes etc

Author: JessRynkar

packages/payload/src/uploads/checkFileRestrictions.ts

@@ -6,6 +6,8 @@ import { ValidationError } from '../errors/index.js'
 import { validateMimeType } from '../utilities/validateMimeType.js'
 import { validatePDF } from '../utilities/validatePDF.js'
 import { detectSvgFromXml } from './detectSvgFromXml.js'
+import { getFileTypeFallback } from './getFileTypeFallback.js'
+import { validateSvg } from './validateSvg.js'
 
 /**
  * Restricted file types and their extensions.
@@ -103,8 +105,37 @@ export const checkFileRestrictions = async ({
       }
     }
 
-    if (!detected && expectsDetectableType(typeFromExtension) && !useTempFiles) {
-      errors.push(`File buffer returned no detectable MIME type.`)
+    if (!detected && !useTempFiles) {
+      const mimeTypeFromExtension = getFileTypeFallback(file.name).mime
+      const extIsValid = validateMimeType(mimeTypeFromExtension, configMimeTypes)
+
+      if (!extIsValid) {
+        errors.push(
+          `File type ${mimeTypeFromExtension} (from extension ${typeFromExtension}) is not allowed.`,
+        )
+      } else {
+        // SVG security check (text-based files not detectable by buffer)
+        if (typeFromExtension.toLowerCase() === 'svg') {
+          const isSafeSvg = validateSvg(file.data)
+          if (!isSafeSvg) {
+            errors.push('SVG file contains potentially harmful content.')
+          }
+        }
+
+        // PDF validation
+        if (mimeTypeFromExtension === 'application/pdf') {
+          const isValidPDF = validatePDF(file.data)
+          if (!isValidPDF) {
+            errors.push('Invalid or corrupted PDF file.')
+          }
+        }
+      }
+
+      if (expectsDetectableType(mimeTypeFromExtension)) {
+        req.payload.logger.warn(
+          `File buffer returned no detectable MIME type for ${file.name}. Falling back to extension-based validation.`,
+        )
+      }
     }
 
     const passesMimeTypeCheck = detected?.mime && validateMimeType(detected.mime, configMimeTypes)

packages/payload/src/uploads/validateSvg.ts

@@ -0,0 +1,58 @@
+/**
+ * Validate SVG content for security vulnerabilities
+ * Detects and blocks malicious patterns commonly used in SVG-based attacks
+ */
+export function validateSvg(buffer: Buffer): boolean {
+  try {
+    const content = buffer.toString('utf8')
+
+    const dangerousPatterns = [
+      // Script tags
+      /<script[\s>]/i,
+      /<\/script>/i,
+
+      // Event handlers (onclick, onload, onerror, etc.)
+      /\son\w+\s*=/i,
+
+      // JavaScript URLs
+      /javascript:/i,
+      /data:text\/html/i,
+
+      // Foreign objects (can embed HTML)
+      /<foreignObject[\s>]/i,
+
+      // Embedded iframes
+      /<iframe[\s>]/i,
+
+      // Embedded objects and embeds
+      /<object[\s>]/i,
+      /<embed[\s>]/i,
+
+      // Base64 encoded scripts (common obfuscation technique)
+      /data:image\/svg\+xml;base64,[\w+/]*PHNjcmlwdA/i, // <script in base64
+
+      // XLink href with javascript (deprecated but still dangerous)
+      /xlink:href\s*=\s*["']javascript:/i,
+
+      // Import statements
+      /@import/i,
+
+      // External resource references that could be dangerous
+      /<!ENTITY/i,
+      /<!DOCTYPE[^>]*\[/i, // DOCTYPE with internal subset
+
+      // Attempt to use CDATA to hide scripts
+      /<!\[CDATA\[[\s\S]*<script/i,
+    ]
+
+    for (const pattern of dangerousPatterns) {
+      if (pattern.test(content)) {
+        return false
+      }
+    }
+
+    return true
+  } catch (_error) {
+    return false
+  }
+}

packages/payload/src/utilities/validateMimeType.ts

@@ -1,4 +1,9 @@
 export const validateMimeType = (mimeType: string, allowedMimeTypes: string[]): boolean => {
+  if (allowedMimeTypes.length === 0) {
+    return true
+  }
+
   const cleanedMimeTypes = allowedMimeTypes.map((v) => v.replace('*', ''))
+
   return cleanedMimeTypes.some((cleanedMimeType) => mimeType.startsWith(cleanedMimeType))
 }

test/uploads/corrupt.svg

@@ -287,6 +287,21 @@ describe('Collections - Uploads', () => {
         expect(response.status).toBe(400)
       })
 
+      it('should not allow html file to be uploaded to PDF only collection', async () => {
+        const formData = new FormData()
+        const filePath = path.join(dirname, './test.html')
+        const { file, handle } = await createStreamableFile(filePath, 'application/pdf')
+        formData.append('file', file)
+        formData.append('contentType', 'application/pdf')
+
+        const response = await restClient.POST(`/${pdfOnlySlug}`, {
+          body: formData,
+        })
+        await handle.close()
+
+        expect(response.status).toBe(400)
+      })
+
       it('should not allow invalid mimeType to be created', async () => {
         const formData = new FormData()
         const filePath = path.join(dirname, './image.jpg')
@@ -302,6 +317,20 @@ describe('Collections - Uploads', () => {
 
         expect(response.status).toBe(400)
       })
+
+      it('should not allow corrupted SVG to be created', async () => {
+        const formData = new FormData()
+        const filePath = path.join(dirname, './corrupt.svg')
+        const { file, handle } = await createStreamableFile(filePath)
+        formData.append('file', file)
+
+        const response = await restClient.POST(`/${svgOnlySlug}`, {
+          body: formData,
+        })
+        await handle.close()
+
+        expect(response.status).toBe(400)
+      })
     })
     describe('update', () => {
       it('should replace image and delete old files - by ID', async () => {

test/uploads/int.spec.ts

@@ -0,0 +1 @@
+<div>hello</div>