MmHamzeh
commented
3 years ago I think you better check uploaded file type with "myrmec " and check file extension too. if file extension is not exists in "myrmec" result, then ignore the file because it means user change file extension and normal users don't do this
be aware "myrmec" can't identify raw text files such as .txt, .css, .js, .json and etc.
I want to validate an uploaded file by detecting the real type of it.
For example, imagine injecting a web-shell script into some part of the image file (e.g: end of the PNG file), I think your API only checks magic numbers (first header bytes) and the web-shells can bypass this technique.