Api.media.atlassian.com seems to guess the mimetype

We develop a product that allows creating attachments on pages & blog posts. For security reasons we filter the mime type and file extension on uploads before adding the attachment to the page.

A bugbounty researcher found an issue in our product where he was able to bypass our filter by tarning an HTML file as a jpeg. He simply took a HTML file and changed the extension to .jpeg.

So I checked and the attachment gets added correctly as image/jpeg by our application:

However when the file gets delivered to the browser through api.media.atlassian.com the header “Content-Type: text/html” is set and the html gets executed. So it seems that api.media.atlassian.com is guessing the mime type instead of using the one specified in the attachment.

Is this behavior documented anywhere? Are there other mime types than text/html that are guessed by api.media.atlassian.com? I’ve tried it with an mp3 and it also guessed the mime type. Is there any way to force the mime type?

1 Like

Further testing revealed it will also guess the mime/type of flash files, svgs, jars, xml files and potentially other dangerous file types. This is really a security disaster especially with no reliable way to predict how api.media.atlassian.com is going to react. I will have to change our application so that will pre upload the first bytes of all files to a test instance so that I can verify the mime type in advance. I can’t think of an other reliable way to test the mime types.

1 Like

Further testing reveled that it seems to be the case that api.media.atlassian.com is using the first 256 bytes to determine the file type. I got that by adding whitespace to the beginning of an html file until it would stop recognizing it as text/html. This makes sense at is the same standard that most webrowsers use.

When you call the download url of your confluence website. For example: “/wiki/download/attachments/294913/61a22b58-efab-4120-a301-fffad046d89f.jpeg?version=1&modificationDate=1668627483038&cacheVersion=1&api=v2” atlassian will answer with a 302-redirect that has the content-type “image/jpeg” and redirects to api.media.atlassian.com. When you follow the redirect api.media.atlassian.com will set the content-type “text/html”.