Even if you manage to invoke file in a safe manner, you probably shouldn't. The file utility isn't isn't immune to security issues either. A quick google found at least 3 different CVSs from 2014 only. Don't expose stuff that wasn't designed with a hostile Internet in mind, to a hostile Internet. Anyway, if file says it's a png file, it doesn't mean it's a _safe_ png file.
A paranoid (or sensible, depending on how juicy a target you are) way to handle it is to isolate the thing that verifies the file in some kind of sandbox, either a container or full VM with no access to anything. Pass the file to it and accept nothing back except raw pixel data. On the outside you re-encode it as a .png and pass that along to you users. Afterwards, assume the sandbox is full of nasties. Nuke it from orbit.