An SVG file can contain JavaScript. Changing the extension to .png but keeping <?xml> tags bypasses naive magic byte checks.
Gunner counter: The project uses a two-pass validation—magic bytes plus a schema-specific parser. For SVG, it checks for <script> tags and disallows them.
The true power of the FileUpload Gunner Project lies in its YAML-based configuration engine. You can create custom "ammunition" types.
The Gunner loves shell.php%00.jpg. In languages like PHP, this used to truncate the string. Always sanitize filenames: fileupload gunner project
filename = filename.replace('\x00', '')
Contributions are welcome! Please read the CONTRIBUTING.md file for guidelines on how to submit pull requests.
License: MIT License
This type of project is primarily used by:
Embed the Gunner test suite into your GitHub Actions or GitLab CI. On every PR that touches file handling code, the pipeline: An SVG file can contain JavaScript
We’re open‑sourcing the core upload engine next month. The roadmap includes:
# Clone the repository
git clone https://github.com/example/fileupload-gunner-project.git
cd fileupload-gunner-project