The upload field explicitly mentions that it only accepts jpeg/png/gif/mp4 formats. However, I was able to successfully upload a PDF (.pdf) file without any validation warning or rejection.
This behavior contradicts the stated file type restrictions and might potentially pose both UX and security concerns, as it allows unsupported file types to be uploaded to the system.
Steps to Reproduce:
• Navigate to Sign In | Ministry of Testing
• Locate the Attachment field.
• Upload a .pdf file.
• Click Save.
• Observe that the upload is accepted without any validation error.
Expected Behavior:
The system should validate file types and only allow jpeg, png, gif, or mp4 uploads. Any unsupported file (like .pdf) should trigger an error message, e.g., “Unsupported file type. Please upload jpeg/png/gif/mp4 only.”
Actual Behavior:
The system accepts .pdf files without showing any validation message, allowing the form to proceed despite the mismatch in allowed file types.
Impact:
This could lead to user confusion, broken UI rendering for unsupported files, or potential security vulnerabilities if non-media files are improperly handled by the backend.
File upload validation is often done badly. You might want to try some other things such as:
Upload an EXE file and other executable file types such as .msi, .bat, .com and .scr. This should absolutely not be possible.
Upload a file that doesn’t have an extension.
Upload a Zip file containing prohibited file types including EXE files.
Upload Microsoft Word, Excel and PowerPoint files containing macros and VBA.
Upload an HTML file containing JavaScript.
Change the file extension of a prohibited file type so it looks like a permitted one, such as changing foo.exe to foo.jpg. Basic validation just looks at the file extension, but more sophisticated validation looks at the header data inside the file to verify that it matches the file extension. This is much safer, but extremely few websites do it.
If the uploaded file is only going to be processed by the receiving application, the risks of being able to upload prohibited file types are not high. However, if the uploaded files might be opened by a human, the risks are much greater so the validation needs to be more robust.
Bear in mind that operating systems can be configured to hide file extensions, so if you can upload an executable file there is a chance a human will run it without realising what it is. Likewise for files containing macros, VBA or JavaScript. Files like this are often used to deliver malicious payloads via email. A lot of ransomware attacks occur like this, showing that people will click on things they shouldn’t.
