Allowing arbitrary MIME types for images enables XSS

[ewan-escience]

In database/003-create-image-table.sql, in the image table, there is a column called mime_type. Currently, this column allows for arbitrary data to be stored. If someone stores an HTML file with MIME type text/html, this allows arbitrary scripts to be executed when someone 'views' the image. So we should restrict the column to only contain valid image MIME types.

A hotfix can be applied with the following SQL command:

ALTER TABLE image ADD CONSTRAINT image_valid_mime_type CHECK (mime_type IN ('image/avif', 'image/gif', 'image/jpeg', 'image/png', 'image/svg+xml', 'image/webp'));

This was already applied to the RSD and Helmholtz production instances. We will also add this to the codebase. Furthermore, since on each instance the userbase is restricted, we don't expect this to have been exploited in practice.

To see if you need more MIME types, run

select mime_type, count(*) from image group by mime_type order by mime_type;

All image MIME types can be found here. @cmeessen, do you need more MIME types other than the ones listed in the hotfix?

[cmeessen]

We do have additionally image/x-icon.