From b75f210a6b0701c10d0b2703f234b851bfab2087 Mon Sep 17 00:00:00 2001
From: Claas Augner <caugner@mozilla.com>
Date: Fri, 18 Nov 2022 12:02:19 +0100
Subject: [PATCH] chore(build): check file-type of audio/video/font files

---
 build/cli.ts | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/build/cli.ts b/build/cli.ts
index d63b637d0bbb..8c15e964208c 100644
--- a/build/cli.ts
+++ b/build/cli.ts
@@ -7,6 +7,7 @@ import zlib from "node:zlib";
 import chalk from "chalk";
 import cliProgress from "cli-progress";
 import { program } from "@caporal/core";
+import FileType from "file-type";
 import { prompt } from "inquirer";
 
 import { Document, slugToFolder, translationsOf } from "../content";
@@ -220,7 +221,23 @@ async function buildDocuments(
     }
 
     for (const filePath of fileAttachments) {
-      // We *could* use symlinks instead. But, there's no point :)
+      // Ensure that binary files contain what their extension indicates.
+      if (/\.(mp3|mp4|ttf|webm|woff2?)$/i.test(filePath)) {
+        const ext = filePath.split(".").pop();
+        const type = await FileType.fromFile(filePath);
+        if (!type) {
+          throw new Error(
+            `Failed to detect type of file attachment: ${filePath}`
+          );
+        }
+        if (ext.toLowerCase() !== type.ext) {
+          throw new Error(
+            `Unexpected type '${type.mime}' (*.${ext}) detected for file attachment: ${filePath}.`
+          );
+        }
+      }
+
+      // We *could* use symlinks instead. But, there's no point :
       // Yes, a symlink is less disk I/O but it's nominal.
       fs.copyFileSync(filePath, path.join(outPath, path.basename(filePath)));
     }