Q4 of 22 · Scenarios

How would you test a file upload feature?

ScenariosMidscenariofile-uploadsecurityfunctionalperformance

Short answer

Short answer: Clarify supported file types, size limits, virus scanning, and storage destination, then cover functional upload, boundary inputs, security (server-side validation, path traversal), and performance under concurrent uploads.

Detail

Clarify first

  • Which file types are accepted, and is validation client-side, server-side, or both?
  • What is the maximum file size, and what happens when it is exceeded?
  • Is virus or malware scanning applied to uploaded files?
  • Where are files stored — local disk, S3, CDN — and are they publicly accessible by URL?

Functional

  • Valid file uploads successfully; progress indicator shown for large files
  • Uploaded file is accessible (download, preview) after upload completes
  • Filename, size, and content type are preserved and displayed correctly
  • Multiple-file upload (if supported) works without any file being silently dropped

Negative / error handling

  • Unsupported file type rejected with a clear, user-friendly message
  • File exceeding the size limit rejected before or during upload with a clear message
  • Corrupt or zero-byte file handled gracefully — no server crash, meaningful error
  • Network interruption mid-upload — resumable upload resumes, non-resumable shows clear retry option

Edge & boundary

  • Filename with special characters, leading dots, spaces, or very long name (255+ chars)
  • Multiple simultaneous uploads from the same user
  • File at exactly the size limit vs one byte over
  • Uploading the same file twice — duplicate handling (reject, overwrite, or rename?)

Security

  • File type validation is enforced server-side, not just via the Accept attribute in HTML (bypass by changing MIME type in the request)
  • Path traversal in filename prevented (../../../etc/passwd in filename must be sanitised)
  • Uploaded files are not directly executable from the web root (no shell script or PHP upload that runs on access)
  • Virus scan result handling — infected file quarantined or rejected, user notified

Performance

  • Upload speed and server memory usage under multiple concurrent large-file uploads
  • Server timeout behavior for very slow uploads

Close: automate file type/size boundary checks, path traversal payload, and MIME-type bypass via API. Keep manual for progress indicator UX, slow-network behavior, and AV scan integration verification.

// WHAT INTERVIEWERS LOOK FOR

Server-side type validation (not just HTML accept attribute), path traversal in filename, and virus scanning handling. These are the non-obvious security concerns that separate a thorough answer.

// COMMON PITFALL

Only testing the happy path and obvious type/size rejections. Missing server-side bypass, path traversal, and the post-upload accessibility security question (are files publicly URL-accessible?).

// Related questions

How would you test the security of a web form?

Scenarios