Because I did JPEG and GIF I just had to check out the PNG format.
A PNG file is composed of multiple chunks.
One of the optional ancillary chunks is called zTXT (ztxt).
This chunk allows storage of compressed text data using the zlib library.
From the zlib tech details:
"The test case was a 50MB file filled with zeros; it compressed to roughly 49 KB"
I used this to store a huge amount of data in a small PNG (smaller than 1 MB). When sent to HackerOne the service timed out. I think it's because Paperclip tried to
convert my image again.
As a attachment I sent the Python code I made to create the PNG, and the PNG itself. Usage: python createpng.py filename
For an easy fix every PNG file with the string "zTXt" in it should be rejected. Other data chunks may be exploitable, but I haven't looked into them yet. When this bug is fixed I will continue my research.