Back to guides

GUIDE / manual

Test Cases for File Upload

Write test cases for file upload covering file types, size limits, viruses, progress, drag-and-drop, security, and accessibility with examples.

By The Testing AcademyPublished July 9, 2026Updated July 9, 202617 min read

When you design test cases for file upload, you are testing a high-risk boundary between user devices and your system. Uploads bring binary content, metadata, storage costs, malware risk, privacy exposure, and complicated UX states such as progress, cancel, retry, and partial failure. A green "uploaded" toast is not enough. You need confidence that the right file is accepted, the wrong file is rejected, storage is correct, and only authorized users can access the result.

This guide gives you a complete file upload test design approach: requirement questions, type and size matrices, positive and negative cases, drag-and-drop and multi-file flows, security and accessibility, storage verification, and common mistakes. Use it for profile images, document KYC uploads, attachments in tickets, bulk imports, and media libraries.

Why File Upload Bugs Are Expensive

Upload defects cause:

  • Support load from blocked legitimate users.
  • Storage of dangerous files.
  • Broken previews and downloads.
  • Privacy leaks when URLs are guessable.
  • Corrupted imports that poison downstream systems.
  • Mobile failures that desktop testing never saw.

Treat upload as a platform capability with security and reliability requirements, not a small form widget.

Capture the Upload Contract

Before cases, document the contract.

Example: profile avatar upload

Allowed types: JPG, PNG, WEBP. Max size 5 MB. Min dimensions 200x200. Max dimensions 4000x4000. Single file only. Image is cropped to square. Previous avatar is replaced. Only the account owner can upload or delete.

Example: KYC document upload

Allowed: PDF, JPG, PNG. Max 10 MB each. Up to 3 files. Virus scan required. Status moves to under review after success. Files are private to user and admin reviewers.

Contract checklist

  1. Allowed extensions and MIME types.
  2. Max file size per file.
  3. Max total size per request or per day.
  4. Min/max dimensions for images.
  5. Max page count for PDFs if any.
  6. Single vs multiple files.
  7. Replace, append, or version behavior.
  8. Required vs optional.
  9. Storage location and retention.
  10. Who can download after upload.
  11. Virus scanning and quarantine flow.
  12. Preview requirements.
  13. Filename sanitization rules.
  14. Async processing expectations.

If any item is unknown, stop and ask. Guessing upload security rules is how holes ship. For general case craft, see how to write test cases.

Scenario Map for File Upload

Happy path scenarios

  • Upload valid file via picker.
  • Upload valid file via drag-and-drop.
  • Upload valid file on mobile.
  • Replace existing file.
  • Upload multiple valid files if allowed.
  • Preview after upload.
  • Download after upload.

Validation scenarios

  • Unsupported extension.
  • Allowed extension with wrong content type.
  • Oversized file.
  • Zero-byte file.
  • Empty submission with no file when required.
  • Dimension too small/large for images.
  • Corrupt file that cannot be parsed.
  • Password-protected PDF if unsupported.

UX and state scenarios

  • Progress indicator.
  • Cancel in-flight upload.
  • Retry after failure.
  • Network disconnect mid-upload.
  • Double submit.
  • Remove selected file before submit.
  • Leave page during upload.

Security scenarios

  • Malicious extension tricks.
  • Path traversal filenames.
  • Oversized zip bombs if archives allowed.
  • Unauthorized API upload.
  • Public URL access control.
  • SVG/script content if SVG allowed.

Permission and privacy scenarios

  • Owner can access.
  • Other user cannot access.
  • Admin role can access if intended.
  • Signed URL expiry if used.

Test Data Fixtures You Should Prepare

Create a small fixture library in your test assets (safe, non-malicious files):

FixturePurpose
valid-small.jpgHappy path image
valid-max-under.pdfNear max size valid doc
oversize.pdfOver limit
zero-byte.txtEmpty file
valid.png / valid.webpType matrix
not-allowed.exe or .js renamed carefully as disallowed sampleType rejection
double-ext.pdf.exeDouble extension handling
huge-dimensions.jpgDimension limit
tiny-dimensions.pngMin dimension
corrupt.jpgParse failure
name-with-spaces and ünicode.pdfFilename handling
long-filename-....pdfFilename length

Never store real malware in ordinary repos. If AV testing is required, use organization-approved safe test patterns and isolated environments.

Test Cases for File Upload: Core Positive Coverage

IDTitlePreconditionsExpected
TC-UP-001Upload valid allowed file via pickerUser on upload formSuccess state, file stored, metadata correct
TC-UP-002Upload valid allowed file via drag-and-dropDropzone enabledSame acceptance as picker
TC-UP-003Upload each allowed typeFixtures for every allowed typeEach type succeeds
TC-UP-004Replace existing filePrior file existsNew file active, old handled per policy
TC-UP-005Upload then previewPreview supportedPreview matches uploaded content type
TC-UP-006Upload then downloadDownload allowedDownloaded content integrity OK
TC-UP-007Optional upload skippedFile optionalForm submits without file
TC-UP-008Multiple valid filesMulti enabledAll accepted within limits

Detailed happy path

Test Case ID: TC-UP-001
Title: Verify user can upload a valid PNG under the size limit
Requirement Reference: PROF-AVATAR-01
Priority: High
Type: Positive
Preconditions:
  - User is logged in
  - Avatar upload allows PNG up to 5 MB
Test Data:
  - valid-small.png (about 200 KB, 400x400)
Steps:
  1. Open profile settings.
  2. Choose upload avatar.
  3. Select valid-small.png from the file picker.
  4. Confirm crop/save if shown.
  5. Reload profile page.
Expected Result:
  - Upload progress completes without error.
  - Success confirmation is shown.
  - New avatar is visible on profile.
  - Stored object is PNG within allowed dimensions.
  - Only the owner can access the private storage URL if avatars are private.

File Type Validation Cases

Type checks must be stronger than "ends with .pdf".

IDTitleFile ideaExpected
TC-UP-010Allowed extension accepted.pdf real PDFSuccess
TC-UP-011Disallowed extension rejected.exe, .bat, .jsRejected with clear message
TC-UP-012Uppercase extension.PNGAccepted if case-insensitive policy
TC-UP-013No extensiondocumentRejected or sniffed per rule
TC-UP-014Double extensionreport.pdf.exeRejected for executable types
TC-UP-015Spoofed extensionEXE bytes named .jpgServer rejects based on content sniffing if required
TC-UP-016MIME mismatchPNG content with .jpg namePer strictness policy
TC-UP-017SVG with script if SVG allowedSVG containing JSBlocked or sanitized
TC-UP-018HTML renamed as txt if txt allowedHTML contentSafe handling, no execute on download page

If the product claims content sniffing, test it. If it only checks extension, document that risk and still test extension matrix thoroughly.

Size Limit and Boundary Cases

Boundaries matter. Use boundary value analysis and equivalence partitioning.

Assume max = 5 MB.

IDTitleSizeExpected
TC-UP-020Just under max5 MB - 1 KBAccepted
TC-UP-021Exact maxexactly 5 MBAccepted if rule is <=
TC-UP-022Just over max5 MB + 1 KBRejected
TC-UP-023Zero-byte file0 bytesRejected for most business uploads
TC-UP-024Tiny valid filefew KB valid typeAccepted if otherwise valid
TC-UP-025Multiple files total over limitsum > total capRejected appropriately
TC-UP-026Client and server both enforcebypass client with APIServer still rejects oversize

Expected results should include:

  • User-visible error.
  • No orphan partial objects left visible as complete.
  • No crash or gateway raw error page.

Image-Specific Cases

IDTitleExpected
TC-UP-030Below min dimensionsRejected
TC-UP-031Exact min dimensionsAccepted
TC-UP-032Above max dimensionsRejected or auto-resized per rule
TC-UP-033Extreme aspect ratioAccepted or rejected per rule
TC-UP-034Animated GIF if not allowedRejected
TC-UP-035CMYK JPEG if unsupportedClear failure or conversion
TC-UP-036EXIF rotation respected or normalizedDisplay upright per product choice
TC-UP-037Cropper enforces required outputFinal stored image meets size rules

Document-Specific Cases

IDTitleExpected
TC-UP-040Valid PDF text docAccepted
TC-UP-041Password-protected PDFRejected if unsupported
TC-UP-042PDF over page limitRejected if limited
TC-UP-043Corrupt PDFRejected safely
TC-UP-044Embedded macros in office docs if allowed types include officePolicy-based block/scan
TC-UP-045CSV import with valid schemaRows processed
TC-UP-046CSV with missing required columnsValidation errors, no partial silent import if forbidden

For import uploads, validate both file acceptance and business row processing.

Multi-File, Order, and Quota Cases

IDTitleExpected
TC-UP-050Upload max allowed countAll succeed
TC-UP-051Upload max count + 1Extra rejected or blocked before send
TC-UP-052Remove one selected file pre-uploadRemaining upload correctly
TC-UP-053Duplicate filename in same batchAccepted with unique storage keys
TC-UP-054Daily quota exceededRejected with quota message
TC-UP-055Parallel uploadsConsistent final state, no lost files

Progress, Cancel, Retry, and Network Cases

IDTitleExpected
TC-UP-060Progress updates during large valid fileUser sees progress or busy state
TC-UP-061Cancel mid-uploadNo completed file, UI reset cleanly
TC-UP-062Retry after failureSucceeds without duplicates beyond policy
TC-UP-063Disconnect network mid-uploadRecoverable error, no fake success
TC-UP-064Slow network completeEventually succeeds, no double entity
TC-UP-065Double click upload buttonSingle logical upload

These cases catch some of the worst "ghost attachment" bugs.

Drag-and-Drop Specific Cases

IDTitleExpected
TC-UP-070Highlight on drag overVisual affordance
TC-UP-071Drop valid fileAccepted like picker
TC-UP-072Drop invalid typeRejected with same rules
TC-UP-073Drop multiple when only single allowedReject or accept first per rule
TC-UP-074Drop folderRejected if folders unsupported
TC-UP-075Drop outside dropzoneNo unexpected upload
TC-UP-076Keyboard alternative existsUsers can upload without drag

Drag-and-drop must never be the only accessible path.

Filename and Metadata Cases

IDTitleFilename ideaExpected
TC-UP-080Spaces in namemy file.pdfAccepted, stored safely
TC-UP-081Unicode namerésumé.pdfAccepted, download name sane
TC-UP-082Very long name255+ charsRejected or truncated safely
TC-UP-083Path traversal name../../etc/passwd.pdfSanitized, no path escape
TC-UP-084Special charactersinvoice#1 (final).pdfSafe storage key
TC-UP-085Right-to-left override charstricky unicodeNo spoofed extension UI confusion

Filenames are an attack surface and a UX surface at once.

Security Test Cases for File Upload

Security deserves its own pack.

IDTitleExpected
TC-UP-090Unauthorized user upload API401/403, no storage
TC-UP-091Upload to another user's resource idRejected
TC-UP-092Download by non-ownerDenied
TC-UP-093Guessable sequential URLCannot access others' files
TC-UP-094Content-Disposition safe downloadNot executed inline if dangerous
TC-UP-095Stored XSS via filename on listing pageEscaped rendering
TC-UP-096Malicious content scanning pathQuarantine/reject per policy
TC-UP-097Oversize bomb / highly compressed archive if zip allowedRejected or resource protected
Filename traversal examples to attempt:
../../secret.pdf
..\\..\\secret.pdf
%2e%2e%2fsecret.pdf

Expected: stored object key is sanitized, file cannot escape storage root, download names remain safe.

Privacy, Permissions, and Lifecycle

IDTitleExpected
TC-UP-100Owner deletes fileFile no longer accessible
TC-UP-101After delete, old URL fails404 or denied
TC-UP-102Account deletion cascadeFiles removed or retained per policy
TC-UP-103Admin reviewer access for KYCAllowed with audit if required
TC-UP-104Support agent without permissionDenied

Upload testing is incomplete without download authorization testing.

Accessibility and Mobile Cases

IDTitleExpected
TC-UP-110File input has accessible nameScreen reader can identify control
TC-UP-111Error messages announcedFailures are perceivable
TC-UP-112Keyboard upload pathCan trigger picker and complete flow without mouse
TC-UP-113Focus after errorMoves to useful place
TC-UP-114Mobile camera capture if enabledCan capture and upload image
TC-UP-115Mobile file picker from gallerySucceeds for allowed types
TC-UP-116iOS/Android size quirksHEIC handling matches policy

HEIC images from iPhones are a classic production surprise when only desktop PNG/JPG were tested.

Async Processing and Status Cases

Many systems process uploads asynchronously (scan, transcode, thumbnail).

IDTitleExpected
TC-UP-120Status shows processingIntermediate state visible
TC-UP-121Processing successReady state, preview available
TC-UP-122Processing failureFailed state, retry guidance
TC-UP-123User navigates away during processingFinal state still consistent on return
TC-UP-124Webhook/worker delayNo false permanent failure before timeout policy

Test the state machine, not only the HTTP 200 on the initial upload.

API-Level Upload Cases

If APIs exist:

  • Missing auth header.
  • Wrong content type multipart boundary issues.
  • Extra fields / mass assignment.
  • Oversized body.
  • Uploading without required entity id.
  • Idempotency keys if supported.

UI may block bad types while API still accepts them. That gap is a defect for public APIs.

Prioritizing File Upload Suites

PriorityCases
P0Valid upload, disallowed type, oversize, required empty, owner download authz
P1Replace/delete, multi-file limits, cancel/retry, dimension limits, mobile happy path
P2Unicode filenames, drag-and-drop nuances, HEIC, async edge timing
P3Rare codec quirks, deep performance of huge batches

Automate P0 with fixtures in CI where possible.

Mapping Uploads into Larger Flows

Uploads often sit inside registration, KYC, support tickets, or profile completion. Connect cases to those flows. For example, registration may require an ID document later, while profile forms reuse text field rules from other suites such as test cases for a registration form.

End-to-end example:

  1. User registers.
  2. User uploads KYC PDF.
  3. Status becomes under review.
  4. Admin downloads securely.
  5. User cannot modify after lock if policy says so.

Common Mistakes When Writing Test Cases for File Upload

Mistake 1: Testing only one happy file on desktop Chrome

Misses type spoofing, mobile HEIC, and authz.

Mistake 2: Extension-only thinking

Real validation needs content awareness for security-sensitive apps.

Mistake 3: No size boundaries

Teams test a tiny file and a "big" file without exact limits.

Mistake 4: Trusting UI success without storage checks

Verify retrieval, metadata, and permissions.

Mistake 5: Ignoring delete and replace

Old file URLs and orphan objects create privacy and cost issues.

Mistake 6: Forgetting accessibility

Drag-and-drop only widgets exclude keyboard users.

Mistake 7: No cancel/disconnect cases

Real networks fail. Upload UX must fail honestly.

Mistake 8: Putting malware samples in shared repos casually

Follow security process and isolated environments.

Mistake 9: Vague expected results

"Error shown" is weak. State that file is not stored and previous file remains intact if replace failed.

Sample Starter Suite (Copy and Extend)

  1. TC-UP-001 Valid upload picker.
  2. TC-UP-002 Valid drag-and-drop.
  3. TC-UP-011 Disallowed type.
  4. TC-UP-015 Spoofed extension content mismatch if in scope.
  5. TC-UP-021 Exact max size.
  6. TC-UP-022 Over max size.
  7. TC-UP-023 Zero-byte rejected.
  8. TC-UP-004 Replace existing.
  9. TC-UP-061 Cancel mid-upload.
  10. TC-UP-092 Non-owner download denied.
  11. TC-UP-083 Path traversal filename sanitized.
  12. TC-UP-114 Mobile gallery upload.
  13. TC-UP-120 Processing status if async.
  14. TC-UP-112 Keyboard accessible path.

Fourteen solid cases already beat ad hoc clicking.

Defect Reporting Tips for Upload Failures

Include:

  • Exact filename, size, type, and hash if useful.
  • Browser/OS.
  • Whether failure was client or server message.
  • Network HAR snippet if possible.
  • Whether file appears in storage/admin.
  • Timestamp for async jobs.

Structure matters; use how to write a bug report so developers can reproduce binary issues quickly.

Automation Notes

Automation recipe:
1. Keep fixtures under version control (small files).
2. Use deterministic names and sizes.
3. Assert:
   - UI success/failure message or state
   - Resulting file list count
   - API metadata (content type, size)
   - Authorized GET succeeds
   - Unauthorized GET fails
4. Clean up uploaded objects after test.

Avoid asserting wall-clock upload duration tightly in CI. Assert completion and correctness.

Practice Drill

In one hour on a staging app with upload:

  1. Write the upload contract from observed UI copy.
  2. Build a fixture set of 8 files.
  3. Execute type matrix and size boundaries.
  4. Attempt non-owner access to a downloaded link.
  5. Produce 12 formal cases with priorities.
  6. List three open security questions for the team.

For repeated scenario design practice under timeboxes, try QABattle sign-up and convert battle notes into upload suites you can reuse at work.

Review Checklist

  • Allowed and disallowed types covered.
  • Size boundaries covered.
  • Zero-byte and corrupt files covered.
  • Multi-file and quota rules covered if present.
  • Drag-and-drop and picker both covered.
  • Cancel/retry/network failure covered.
  • Authz for upload and download covered.
  • Filename sanitization covered.
  • Mobile and accessibility covered.
  • Async processing states covered if relevant.
  • Fixtures documented and safe.
  • Expected results include storage and access outcomes.

Conclusion

Strong test cases for file upload protect usability, storage integrity, and security together. Start from a clear upload contract, build type and size matrices, verify progress and failure states, and always check what happens after the file lands: preview, download, permissions, replace, and delete. Client UI checks are necessary but not sufficient; server enforcement and authorization complete the story.

If your suite can prove that good files get in, bad files stay out, and only the right people can read what was stored, you have covered the heart of upload quality. Expand from that core into image dimensions, import parsing, virus scanning workflows, and mobile capture as your product requires.

FAQ

Questions testers ask

What are the most important test cases for file upload?

Prioritize valid supported file upload success, unsupported type rejection, size limit boundaries, required upload validation, replace and remove behaviors, virus or malware rejection if scanned, permission checks, and that the stored file is retrievable by the right user. Add progress, cancel, and multi-file cases when the UI supports them.

How do you test file type validation?

Test allowed extensions, disallowed extensions, double extensions like invoice.pdf.exe, mismatched MIME type versus extension, uppercase extensions, and files with no extension. Confirm both client and server reject unsafe types. Never trust extension-only checks as complete security validation.

How should maximum file size be tested?

Test exactly at the limit, one byte or realistic unit under the limit, and over the limit. Verify clear user messaging, no partial corrupt storage for rejected files, and consistent client and server enforcement. Also test multiple files against combined size limits if the product has them.

What security tests are needed for uploads?

Include malware sample policy in safe environments, scriptable content in images or SVG, path traversal filenames, oversized payloads, unauthorized upload endpoints, and download content-type handling. Ensure uploaded files are served with safe headers and are not executable in unintended contexts.

How do you test drag-and-drop uploads?

Drag valid files, invalid files, multiple files, folders if unsupported, and drop outside the target. Verify highlight states, same validation as file picker, keyboard alternative availability, and that drag-and-drop is not the only upload path for accessibility.

Can file upload tests be automated?

Yes for many cases. UI automation can attach fixtures for valid, oversized, and wrong-type files and assert messages and resulting file metadata. Virus scanning, real AV delays, and OS-level picker quirks may need special hooks or manual checks. Keep fixtures small and deterministic in CI.