Does anyone know how to check if uploaded image is an image (and not a malicious file) before uploading it to bucket? I have already created everything to upload image into a bucket with

  if (logo) {
            //Save photo to bucket
            const pathRef = storageRef.ref('logo/' + uid + '/' + logo.name)
            pathRef.put(logo).then(() => {
                //Get logo URL
                const starsRef = storageRef.ref().child('logo/' + uid + '/' + logo.name)
                starsRef.getDownloadURL().then((url) => {
                    //Update photoURL in user
                    const user = firebase.auth().currentUser
                    user.updateProfile({
                        photoURL: url
                    }).then(() => {
                        console.log("update successfull")
                    }).catch((error) => {
                        console.log(error)
                    })
                }).catch((error) => {
                    console.log(error)
                })
            })

I also only accepting images files in my "input"

  <input style={{ display: "none" }} id="file" type="file" accept="image/*" onChange={props.change}></input>

but I believe that this can be easily skipped by changing any file into an image format which means anyone can put anything there. I didn't find any documentation what would check that in functions or anywhere else

1 Answers

0
Doug Stevenson On Best Solutions

Cloud Functions and Cloud Storage don't have any built-in capability of checking whether or not a series of bytes is actually an image. To them, bytes are just bytes, and they don't make any effort to interpret those bytes. Cloud Storage stores "content type" as part of a blob, but that's not a guarantee about what's in the blog. That content type is just metadata for the blog.

If you want to know if a sequence of bytes is some image format (and there are very many: JPG, PNG, GIF, etc), you will need to use some other piece of software to parse those bytes to figure out if they're formatted in a way that would be an acceptable image by your definition. For example, ImageMagick will tell something about the contents of a file that is said to be an image.