test: uploads return correct content type headers (#8182)

packages/next/src/routes/rest/files/checkFileAccess.ts

@@ -19,6 +19,10 @@ export async function checkFileAccess({
     return disableEndpoints
   }
 
+  if (filename.includes('../') || filename.includes('..\\')) {
+    throw new Forbidden(req.t)
+  }
+
   const accessResult = await executeAccess({ isReadingStaticFile: true, req }, config.access.read)
 
   if (typeof accessResult === 'object') {

test/uploads/int.spec.ts

@@ -216,7 +216,6 @@ describe('Collections - Uploads', () => {
         expect(doc.filename).toBeDefined()
       })
     })
-
     describe('update', () => {
       it('should replace image and delete old files - by ID', async () => {
         const filePath = path.resolve(dirname, './image.png')
@@ -344,6 +343,25 @@ describe('Collections - Uploads', () => {
         expect(await fileExists(path.join(dirname, doc.filename))).toBe(false)
       })
     })
+    describe('read', () => {
+      it('should return the media document with the correct file type', async () => {
+        const filePath = path.resolve(dirname, './image.png')
+        const file = await getFileByPath(filePath)
+        file.name = 'renamed.png'
+
+        const mediaDoc = (await payload.create({
+          collection: mediaSlug,
+          data: {},
+          file,
+        })) as unknown as Media
+
+        const response = await restClient.GET(`/${mediaSlug}/file/${mediaDoc.filename}`)
+
+        expect(response.status).toBe(200)
+
+        expect(response.headers.get('content-type')).toContain('image/png')
+      })
+    })
   })
 
   describe('Local API', () => {