Any U+202E RIGHT-TO-LEFT OVERRIDE (and similar) symbols in file names of uploaded files are not stripped from the file name, causing potentially malicious executables to look like harmless images, for example. This might trick HackerOne panel members into accidentally opening evil h4x0r filez.
I’ve attached two files:
insane_in_the_cort[RLO]3pm.exe, which gets rendered as
insane_in_the_cortexe.mp3, making it look like a harmless mp3 file of a well-known Cypress Hill song.
po[RLO]gnp.app, which gets rendered as
poppa.png, as if it was just a PNG image.
I’ve also attached a screenshot showing what it looks like after uploading the files.