Do not allow users to upload any file type, without any restrictions on file size or type. An attacker could potentially upload a malicious image file.

I tested by uploading QR code image, pdf etc. generated here: https://canarytokens.org/generate