Volleyball Elite Academy development update

Volleyball Elite Academy Make sure an uploaded logo is really an image, not a disguised file Make sure an uploaded logo is really an image, not a disguised file Volleyball Elite Academy — Development Update • June 6, 2026 --- title: Make sure an uploaded logo is really an image, not a disguised file --- Make sure an uploaded logo is really an image, not a disguised file ## What & Why The logo upload route (, ) decides whether a file is an allowed image purely from the browser-declared content-type (multer's checks ). An attacker (or a confused browser) can send an HTML/JS/SVG payload while declaring , and it will be accepted, stored, and later streamed back from the public route. The serve route does set and an image content-type derived from the key extension, which mitigates same-origin script execution, but the bytes themselves are never validated. This is a SuperAdmin-only upload, so the risk is limited, but the bytes are served on a public, unauthenticated path — so confirming the bytes are actually a PNG/JPEG/WebP/GIF (e.g. magic-byte sniffing) before storing closes the gap defensively. ## Done looks like - Upload validates the actual file bytes (magic numbers) match one of the allowed raster types, in addition to the declared mimetype. - A file whose declared type is but whose bytes are HTML/SVG/JS is rejected with 400 and nothing is stored. - A new route test in covers the disguised-file case (uses the existing in-memory fake). ## Relevant files - (logoUpload fileFilter / the upload handler) - (existing logo coverage to extend) Volleyball Elite Academy Reply to this email — we read every reply. You received this because you have an account with Volleyball Elite Academy. elitevolleyball.training