feat: check screenshot image mimetype and extension (#491)

s4kh · web-flow · commit 45b1c83634c0 · 2026-01-21T08:10:05.000-05:00
diff --git a/pkg/analysis/passes/screenshots/screenshots.go b/pkg/analysis/passes/screenshots/screenshots.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"mime"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -124,15 +125,30 @@ func validateImage(imgPath string) error {
 		mimeType = svgImage
 	}
 
+	found := false
 	for _, accepted := range acceptedImageTypes {
 		if accepted == mimeType {
-			return nil
+			found = true
+			break
 		}
 	}
 
-	return fmt.Errorf(
-		"invalid screenshot image: %q. Accepted image types: %q",
-		imgPath,
-		acceptedImageTypes,
-	)
+	if !found {
+		return fmt.Errorf(
+			"invalid screenshot image: %q. Accepted image types: %q",
+			imgPath,
+			acceptedImageTypes,
+		)
+	}
+
+	ext := filepath.Ext(imgPath)
+	expectedMimeType := mime.TypeByExtension(ext)
+	if expectedMimeType != mimeType {
+		return fmt.Errorf(
+			"screenshot image has extension mismatch: %q has extension %q but content is %s",
+			imgPath, ext, mimeType,
+		)
+	}
+
+	return nil
 }
diff --git a/pkg/analysis/passes/screenshots/screenshots_test.go b/pkg/analysis/passes/screenshots/screenshots_test.go
@@ -67,6 +67,33 @@ func TestNoScreenshots(t *testing.T) {
 	require.Equal(t, interceptor.Diagnostics[0].Title, "plugin.json: should include screenshots for the Plugin catalog")
 }
 
+func TestMimeTypeExtMismatch(t *testing.T) {
+	var interceptor testpassinterceptor.TestPassInterceptor
+	const pluginJsonContent = `{
+		"name": "my plugin name",
+		"info": {
+		"screenshots": [{
+			"path": "testdata/screenshot2.png",
+			"name": "screenshot2"
+		}]
+		}
+	}`
+	pass := &analysis.Pass{
+		RootDir: filepath.Join("./"),
+		ResultOf: map[*analysis.Analyzer]interface{}{
+			metadata.Analyzer:      []byte(pluginJsonContent),
+			archive.Analyzer:       filepath.Join("."),
+			metadatavalid.Analyzer: nil,
+		},
+		Report: interceptor.ReportInterceptor(),
+	}
+
+	_, err := Analyzer.Run(pass)
+	require.NoError(t, err)
+	require.Len(t, interceptor.Diagnostics, 1)
+	require.Equal(t, `screenshot image has extension mismatch: "testdata/screenshot2.png" has extension ".png" but content is image/jpeg`, interceptor.Diagnostics[0].Title)
+}
+
 func TestEmptyInvalidScreenshotPath(t *testing.T) {
 	var interceptor testpassinterceptor.TestPassInterceptor
 	const pluginJsonContent = `{
diff --git a/pkg/analysis/passes/screenshots/testdata/screenshot2.png b/pkg/analysis/passes/screenshots/testdata/screenshot2.png
