fix: enforce mimeTypes restriction when useTempFiles is enabled

When useTempFiles is enabled, file.data is an empty buffer because the
actual file content is stored on disk at tempFilePath. This caused
fileTypeFromBuffer to return undefined, and the subsequent fallback
validation was guarded by !useTempFiles, effectively skipping all
mimeTypes validation for temp file uploads.

The fix reads the file buffer from the temp file path when useTempFiles
is enabled and file.data is empty, ensuring that both magic-byte
detection and extension-based fallback validation are applied
consistently regardless of the upload mode.

Closes #16233

Author: eddieran

packages/payload/src/uploads/checkFileRestrictions.ts

@@ -1,4 +1,5 @@
 import { fileTypeFromBuffer } from 'file-type'
+import fs from 'fs/promises'
 
 import type { checkFileRestrictionsParams, FileAllowList } from './types.js'
 
@@ -89,7 +90,15 @@ export const checkFileRestrictions = async ({
 
   // Secondary mimetype check to assess file type from buffer
   if (configMimeTypes.length > 0) {
-    let detected = await fileTypeFromBuffer(file.data)
+    // When useTempFiles is enabled, file.data is an empty buffer because the
+    // actual content lives on disk. Read from the temp file so that
+    // fileTypeFromBuffer can perform real magic-byte detection.
+    const fileBuffer =
+      useTempFiles && file.tempFilePath && (!file.data || file.data.length === 0)
+        ? await fs.readFile(file.tempFilePath)
+        : file.data
+
+    let detected = await fileTypeFromBuffer(fileBuffer)
     const typeFromExtension = file.name.split('.').pop() || ''
 
     // Handle SVG files that are detected as XML due to <?xml declarations
@@ -99,13 +108,13 @@ export const checkFileRestrictions = async ({
         (type) => type.includes('image/') && (type.includes('svg') || type === 'image/*'),
       )
     ) {
-      const isSvg = detectSvgFromXml(file.data)
+      const isSvg = detectSvgFromXml(fileBuffer)
       if (isSvg) {
         detected = { ext: 'svg' as any, mime: 'image/svg+xml' as any }
       }
     }
 
-    if (!detected && !useTempFiles) {
+    if (!detected) {
       const mimeTypeFromExtension = getFileTypeFallback(file.name).mime
       const extIsValid = validateMimeType(mimeTypeFromExtension, configMimeTypes)
 
@@ -116,15 +125,15 @@ export const checkFileRestrictions = async ({
       } else {
         // SVG security check (text-based files not detectable by buffer)
         if (typeFromExtension.toLowerCase() === 'svg') {
-          const isSafeSvg = validateSvg(file.data)
+          const isSafeSvg = validateSvg(fileBuffer)
           if (!isSafeSvg) {
             errors.push('SVG file contains potentially harmful content.')
           }
         }
 
         // PDF validation
         if (mimeTypeFromExtension === 'application/pdf') {
-          const isValidPDF = validatePDF(file.data)
+          const isValidPDF = validatePDF(fileBuffer)
           if (!isValidPDF) {
             errors.push('Invalid or corrupted PDF file.')
           }
@@ -141,7 +150,7 @@ export const checkFileRestrictions = async ({
     const passesMimeTypeCheck = detected?.mime && validateMimeType(detected.mime, configMimeTypes)
 
     if (passesMimeTypeCheck && detected?.mime === 'application/pdf') {
-      const isValidPDF = validatePDF(file?.data)
+      const isValidPDF = validatePDF(fileBuffer)
       if (!isValidPDF) {
         errors.push('Invalid PDF file.')
       }