Is it safe to upload JSON files to upload folder?

JSON files are really data files: they are not a security threat per se, it’s simply that WordPress doesn’t include them in its whitelist.

It really depends on who can upload the data and what you do with the data. After all, an Excel file with macros can be a security risk, and yet WordPress allows the following:

'xla|xls|xlt|xlw' => 'application/vnd.ms-excel',
'xlsx'            => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
'xlsm'            => 'application/vnd.ms-excel.sheet.macroEnabled.12',
'xlsb'            => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
'xltx'            => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
'xltm'            => 'application/vnd.ms-excel.template.macroEnabled.12',
'xlam'            => 'application/vnd.ms-excel.addin.macroEnabled.12',

Now that we’ve established that what is considered “safe” depends on perspectives, it’s undeniable that whitelisting is more secure than blacklisting, but sometimes false positives may occur (there are sooo many file types, after all).

Here is the full list of allowed file types by default:

/**
     * Filters the list of mime types and file extensions.
     *
     * This filter should be used to add, not remove, mime types. To remove
     * mime types, use the {@see 'upload_mimes'} filter.
     *
     * @since 3.5.0
     *
     * @param string[] $wp_get_mime_types Mime types keyed by the file extension regex
     *                                 corresponding to those types.
     */
    apply_filters(
        'mime_types',
        array(
            // Image formats.
            'jpg|jpeg|jpe'                 => 'image/jpeg',
            'gif'                          => 'image/gif',
            'png'                          => 'image/png',
            'bmp'                          => 'image/bmp',
            'tiff|tif'                     => 'image/tiff',
            'webp'                         => 'image/webp',
            'ico'                          => 'image/x-icon',
            'heic'                         => 'image/heic',
            // Video formats.
            'asf|asx'                      => 'video/x-ms-asf',
            'wmv'                          => 'video/x-ms-wmv',
            'wmx'                          => 'video/x-ms-wmx',
            'wm'                           => 'video/x-ms-wm',
            'avi'                          => 'video/avi',
            'divx'                         => 'video/divx',
            'flv'                          => 'video/x-flv',
            'mov|qt'                       => 'video/quicktime',
            'mpeg|mpg|mpe'                 => 'video/mpeg',
            'mp4|m4v'                      => 'video/mp4',
            'ogv'                          => 'video/ogg',
            'webm'                         => 'video/webm',
            'mkv'                          => 'video/x-matroska',
            '3gp|3gpp'                     => 'video/3gpp',  // Can also be audio.
            '3g2|3gp2'                     => 'video/3gpp2', // Can also be audio.
            // Text formats.
            'txt|asc|c|cc|h|srt'           => 'text/plain',
            'csv'                          => 'text/csv',
            'tsv'                          => 'text/tab-separated-values',
            'ics'                          => 'text/calendar',
            'rtx'                          => 'text/richtext',
            'css'                          => 'text/css',
            'htm|html'                     => 'text/html',
            'vtt'                          => 'text/vtt',
            'dfxp'                         => 'application/ttaf+xml',
            // Audio formats.
            'mp3|m4a|m4b'                  => 'audio/mpeg',
            'aac'                          => 'audio/aac',
            'ra|ram'                       => 'audio/x-realaudio',
            'wav'                          => 'audio/wav',
            'ogg|oga'                      => 'audio/ogg',
            'flac'                         => 'audio/flac',
            'mid|midi'                     => 'audio/midi',
            'wma'                          => 'audio/x-ms-wma',
            'wax'                          => 'audio/x-ms-wax',
            'mka'                          => 'audio/x-matroska',
            // Misc application formats.
            'rtf'                          => 'application/rtf',
            'js'                           => 'application/javascript',
            'pdf'                          => 'application/pdf',
            'swf'                          => 'application/x-shockwave-flash',
            'class'                        => 'application/java',
            'tar'                          => 'application/x-tar',
            'zip'                          => 'application/zip',
            'gz|gzip'                      => 'application/x-gzip',
            'rar'                          => 'application/rar',
            '7z'                           => 'application/x-7z-compressed',
            'exe'                          => 'application/x-msdownload',
            'psd'                          => 'application/octet-stream',
            'xcf'                          => 'application/octet-stream',
            // MS Office formats.
            'doc'                          => 'application/msword',
            'pot|pps|ppt'                  => 'application/vnd.ms-powerpoint',
            'wri'                          => 'application/vnd.ms-write',
            'xla|xls|xlt|xlw'              => 'application/vnd.ms-excel',
            'mdb'                          => 'application/vnd.ms-access',
            'mpp'                          => 'application/vnd.ms-project',
            'docx'                         => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
            'docm'                         => 'application/vnd.ms-word.document.macroEnabled.12',
            'dotx'                         => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
            'dotm'                         => 'application/vnd.ms-word.template.macroEnabled.12',
            'xlsx'                         => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
            'xlsm'                         => 'application/vnd.ms-excel.sheet.macroEnabled.12',
            'xlsb'                         => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
            'xltx'                         => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
            'xltm'                         => 'application/vnd.ms-excel.template.macroEnabled.12',
            'xlam'                         => 'application/vnd.ms-excel.addin.macroEnabled.12',
            'pptx'                         => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
            'pptm'                         => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
            'ppsx'                         => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
            'ppsm'                         => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
            'potx'                         => 'application/vnd.openxmlformats-officedocument.presentationml.template',
            'potm'                         => 'application/vnd.ms-powerpoint.template.macroEnabled.12',
            'ppam'                         => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
            'sldx'                         => 'application/vnd.openxmlformats-officedocument.presentationml.slide',
            'sldm'                         => 'application/vnd.ms-powerpoint.slide.macroEnabled.12',
            'onetoc|onetoc2|onetmp|onepkg' => 'application/onenote',
            'oxps'                         => 'application/oxps',
            'xps'                          => 'application/vnd.ms-xpsdocument',
            // OpenOffice formats.
            'odt'                          => 'application/vnd.oasis.opendocument.text',
            'odp'                          => 'application/vnd.oasis.opendocument.presentation',
            'ods'                          => 'application/vnd.oasis.opendocument.spreadsheet',
            'odg'                          => 'application/vnd.oasis.opendocument.graphics',
            'odc'                          => 'application/vnd.oasis.opendocument.chart',
            'odb'                          => 'application/vnd.oasis.opendocument.database',
            'odf'                          => 'application/vnd.oasis.opendocument.formula',
            // WordPerfect formats.
            'wp|wpd'                       => 'application/wordperfect',
            // iWork formats.
            'key'                          => 'application/vnd.apple.keynote',
            'numbers'                      => 'application/vnd.apple.numbers',
            'pages'                        => 'application/vnd.apple.pages',
        )
    );

This is where the mime_types filter comes into play ; you can place the following in your theme’s functions.php or in a custom plugin:


add_filter('mime_types', 'add_json_mime_type', 10, 1);
function add_json_mime_type($mime_types) {
  $mime_types['json'] = 'application/json';
  
  return $mime_types;
}

Related Posts:

  1. simple solution for restricting access to (some) uploads/downloads
  2. Protecting direct access to PDF and ZIP unless user logged in (without plugin)
  3. What permissions does wp-content/uploads need?
  4. can not upload file .vtt on wordpress 5.0.1
  5. What are the security reasons to disallow Microsoft Word uploads?
  6. Password protect some uploaded files, so only logged-in users can view them
  7. How to protect uploads in multisite if user is not logged in?
  8. File Upload Permissions
  9. Retrieving JSON data in ajax request from media uploader
  10. Extend the list of MIME-types supported by the builtin uploader in 3.3
  11. Placing assets for external use
  12. How to safely allow user upload on CPTs?
  13. making media URL secured
  14. Is it safe to allow non-admin users access to media uploader
  15. Setting up a HIPAA secured form / file upload
  16. Safe to allow json uploads
  17. Where to store sensitive uploaded file?
  18. Access featured image URL based on media ID?
  19. WP upload/select image , isn’t this a security issue?
  20. What is the best way to upload a temporary & sensitive file and then delete it when done
  21. Is there a way to force Featured image to show as attachement?
  22. Basic File/Post restriction plugin
  23. Auto shortlink for file uploads
  24. How to parse an image that was just uploaded to make sure it doesn’t contain malicious code?
  25. How to generate thumbnails when needed only?
  26. Media files exist in upload folder but not showing up
  27. Set limit to media upload?
  28. Save camera info as metadata on image upload?
  29. How to upload SVG in WordPress 4.9.8?
  30. Use a separate custom table (not posts) to handle file upload data
  31. PNG with transparent background turns black when uploaded and resized
  32. WP 3.3 > Still no option to enable automatic image overwrites?
  33. Custom upload directory per CPT; when removed, file not deleted
  34. Modify featured image path to Amazon S3
  35. How to get all files inserted (but not attached) to a post
  36. Trigger JS when featured image upload window is opened in admin
  37. uploading files to the uploads folder via ftp
  38. Delete images uploaded by ‘Subscriber’ role
  39. Remove upload_files capability from a role but allow role to manage an avatar image
  40. 3.5 media manager add CSS / JS to new ‘tab’ iframe content
  41. Insert Featured image from Feed
  42. http error when uploading media files
  43. How can I upload a csv file into WordPress?
  44. How to link to the image editor’s Edit Image function?
  45. Change the size of the image preview on the media edit page
  46. Saving WordPress generated thumbnails in a subdirectory
  47. Whole bunch of errors on WP website – media upload, edit slugs, edit screen not working [closed]
  48. Retroactively place uploaded media into -month, -year based folders?
  49. Conditional add_filter for upload directory?
  50. Need to download uploaded binary file
  51. Insert Image automatically when upload finishes wordpress media uploader
  52. WordPress “HTTP error.” when uploading Media – IIS
  53. WordPress uploads folder path. how it is decided?
  54. Limit upload file type on one custom post type
  55. Filter / Hook to get attachment ID before uploading?
  56. PDF file upload issue
  57. WordPress bug with capabilities?
  58. Update image via WP REST API
  59. media_handle_upload() progress bar
  60. Attach Thumbnail Generated from Video Upload as Featured Image for the Video
  61. ‘An error occurred in the upload. Please try again later.’ for users with different roles
  62. How to submit data between wp_iframe and backbone.js in media upload
  63. HTTP Error after finishing uploading a video that is bigger than 64 MB -> After raising the upload limit manually in the wp-config file
  64. Set post_parent value for the images uploaded by Add Media button into post
  65. What are best practices to storing uploads in WordPress?
  66. Using Add from Server to upload by post ID
  67. Image resizing – TimThumb vs convert on upload?
  68. File names are being overridden when uploading new media
  69. Patient portal using wordpress
  70. Stop image resizing in particular case – is that possible?
  71. Uploads going to the root of wp-content/uploads
  72. Uploaded image with non-english characters is named incorrectly in upload folder
  73. Can’t upload images (incorrect “file exceeds upload_max_filesize” error)
  74. “Trying to upload files larger than” error will not go away
  75. How to add filetype to meta value when using wp_upload_bits?
  76. Cropping thumbnails to specific dimensions on front end post
  77. Double slash in upload URLs
  78. Unable to upload new file as a product
  79. Limit users to specific uploads
  80. Make inline uploader (plupload) on options page upload to a specific folder
  81. WordPress blog with a custom made theme hosted on heroku
  82. media file uploading
  83. What is wrong with my wp_insert_attachment code?
  84. Editor User Role can’t see other users media
  85. How to allow .ged file uploads
  86. Set attachment category from file name on upload
  87. HTTP Error WordPress on IIS uploading image
  88. WordPress Upload Speed
  89. _d_improd_ directory in uploads breaking site images
  90. Drag and Drop Media Not Working in Windows 10 Edge Browser
  91. Exclude some photos in media library
  92. Failed to load resource at admin screen
  93. Upload more than one media files with a post
  94. Upload file to front-end form and send as email attachment
  95. uploading photos
  96. How to handle image resize in media_handle_sideload?
  97. Image uploaded in media library, can only see it when I using the WP Edit Image feature. 404 when trying to view in browser
  98. Single file upload
  99. Can’t upload files 1MB+ [closed]
  100. Update media item using wordpress rest api in python