Uploading GIF as NFT or Profile Avatar/Banner

[tokyohtb]

Bug Type

Functional

Reproduction steps

1. Go to https://getgems.io/ (or https://testnet.getgems.io/)
2. Login with any wallet
3. Click "Create NFT" and select "Single NFT", or "NFT in collection"
4. Fill in all the fields
5. Open Burp or any other program that allows you to edit requests before submitting
6. Connect to a proxy, or open Burp Browser
7. Click on the "Intercept is off" button in Burp
8. Click on the image upload button and select your GIF file
9. In Burp, press Forward until you see the request "POST /upload-media"
10. In the "Content-Disposition" header "filename" parameter change filename.gif to filename.png
11. Disable Intercept and mint NFT as usual

Actual result

NFT minted with animated picture

Expected result

Getgems should show an error as it is currently not possible to upload a .GIF file as an NFT image

Suggested Severity

Medium

Device

Desktop (please complete the following information):

• OS: [e.g. iOS]: Windows 11 25151.1010
• Browser [e.g. chrome, safari]: Burp Browser (based on Chromium 105)
• Version [e.g. 22]: 105.0.5195.102

Additional Context

You can do the same with your avatar or profile banner. NFT example: https://testnet.getgems.io/nft/EQDs5TsGeC1yriIbeYv3YKaTsEoyUiemH8Y1MD1ejBgrwak9 Profile Example: https://getgems.io/user/EQA5n5KM7E_9YwRPpjwkawPgCwSmR3vxb0FzovG18hhpiE5G