Minor cleanup

Author: tsullivan

src/platform/plugins/shared/files/server/routes/file_kind/helpers.ts

@@ -24,7 +24,7 @@ type ResultOrHttpError =
 export async function getById(
   fileService: FileServiceStart,
   id: string,
-  fileKind: string
+  _fileKind: string
 ): Promise<ResultOrHttpError> {
   let result: undefined | File;
   try {
@@ -57,7 +57,6 @@ export function validateMimeType(
   }
 
   const allowedMimeTypes = fileKind.allowedMimeTypes;
-
   if (!allowedMimeTypes || allowedMimeTypes.length === 0) {
     return;
   }

src/platform/plugins/shared/files/server/routes/file_kind/integration_tests/file_kind_http.test.ts

@@ -488,26 +488,6 @@ describe('File kind HTTP API', () => {
 
       expect(result.body.file.mimeType).toBeUndefined();
     });
-
-    test('should not leak information about allowed MIME types in error messages', async () => {
-      const result = await request
-        .post(root, `/api/files/files/${fileKind}`)
-        .set('x-elastic-internal-origin', 'files-test')
-        .send({
-          name: 'archive.zip',
-          mimeType: 'application/zip',
-          alt: 'zip archive',
-          meta: {},
-        })
-        .expect(400);
-
-      // Should not reveal which MIME types are allowed
-      expect(result.body.message).toBe('File type is not supported');
-      expect(result.body.message).not.toContain('image/png');
-      expect(result.body.message).not.toContain('image/jpeg');
-      expect(result.body.message).not.toContain('application/pdf');
-      expect(result.body.message).not.toContain('test-file-kind');
-    });
   });
 
   describe('file extension validation on download', () => {
@@ -517,7 +497,6 @@ describe('File kind HTTP API', () => {
         mimeType: 'image/png',
       });
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -547,7 +526,6 @@ describe('File kind HTTP API', () => {
         .send('image data')
         .expect(200);
 
-      // Download with correct extension should work
       const result = await request
         .get(root, `/api/files/files/${fileKind}/${id}/blob/image.png`)
         .set('x-elastic-internal-origin', 'files-test')
@@ -620,29 +598,5 @@ describe('File kind HTTP API', () => {
         .set('x-elastic-internal-origin', 'files-test')
         .expect(200);
     });
-
-    test('should not leak information about expected extensions in error messages', async () => {
-      const { id } = await createFile({
-        name: 'document.pdf',
-        mimeType: 'application/pdf',
-      });
-
-      await request
-        .put(root, `/api/files/files/${fileKind}/${id}/blob`)
-        .set('Content-Type', 'application/octet-stream')
-        .set('x-elastic-internal-origin', 'files-test')
-        .send('pdf content')
-        .expect(200);
-
-      const result = await request
-        .get(root, `/api/files/files/${fileKind}/${id}/blob/document.txt`)
-        .set('x-elastic-internal-origin', 'files-test')
-        .expect(400);
-
-      // Should not reveal which extensions are expected
-      expect(result.body.message).toBe('File extension does not match file type');
-      expect(result.body.message).not.toContain('pdf');
-      expect(result.body.message).not.toContain('application/pdf');
-    });
   });
 });

src/platform/plugins/shared/files/server/routes/integration_tests/routes.test.ts

@@ -360,7 +360,7 @@ describe('File HTTP API', () => {
         .expect(200);
 
       const { body: buffer, header } = await request
-        // By providing a file name like "myfilename.pdf" we imply that we want a pdf
+        // "myfilename.pdf" has a mime type that matches the metadata
         .get(root, `/api/files/public/blob/myfilename.pdf?token=${token}`)
         .set('x-elastic-internal-origin', 'files-test')
         .buffer()
@@ -377,7 +377,6 @@ describe('File HTTP API', () => {
         mimeType: 'application/pdf',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -386,7 +385,6 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -409,7 +407,6 @@ describe('File HTTP API', () => {
         mimeType: 'image/png',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -418,7 +415,6 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -444,7 +440,6 @@ describe('File HTTP API', () => {
         mimeType: 'text/plain',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -453,7 +448,6 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -468,8 +462,6 @@ describe('File HTTP API', () => {
         .buffer()
         .expect(200);
 
-      // Content-type comes from stored file MIME type, not URL filename
-      // Should be either the stored MIME type or default fallback - but never from URL filename
       expect(['text/plain', 'text/plain; charset=utf-8', 'application/octet-stream']).toContain(
         header['content-type']
       );
@@ -482,7 +474,6 @@ describe('File HTTP API', () => {
         mimeType: 'image/jpeg',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -491,7 +482,6 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -517,7 +507,6 @@ describe('File HTTP API', () => {
         mimeType: 'text/plain',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -526,7 +515,6 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -542,8 +530,6 @@ describe('File HTTP API', () => {
         .buffer()
         .expect(200);
 
-      // Content-type comes from stored file MIME type, not URL filename
-      // Note: Text files may include charset information
       expect(response.header['content-type']).toMatch(/^text\/plain(; charset=utf-8)?$/);
 
       // For text content with .buffer(), use response.text instead of response.body
@@ -563,7 +549,6 @@ describe('File HTTP API', () => {
         mimeType: 'application/json',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -572,7 +557,6 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
@@ -592,13 +576,12 @@ describe('File HTTP API', () => {
       expect(result.body.message).not.toContain('application/json');
     });
 
-    test('prevents MIME type manipulation through URL filename (security fix)', async () => {
+    test('prevents MIME type manipulation through URL filename', async () => {
       const { id } = await createFile({
         name: 'safe-document.pdf',
         mimeType: 'application/pdf',
       });
 
-      // Share the file
       const {
         body: { token },
       } = await request
@@ -607,31 +590,18 @@ describe('File HTTP API', () => {
         .send({})
         .expect(200);
 
-      // Upload content
       await request
         .put(root, `/api/files/files/${fileKind}/${id}/blob`)
         .set('Content-Type', 'application/octet-stream')
         .set('x-elastic-internal-origin', 'files-test')
         .send('PDF content')
         .expect(200);
 
-      // Security layer 1: Extension validation blocks dangerous mismatched downloads
+      // Extension validation blocks dangerous mismatched downloads
       await request
         .get(root, `/api/files/public/blob/malicious-script.html?token=${token}`)
         .set('x-elastic-internal-origin', 'files-test')
         .expect(400); // Correctly blocked!
-
-      // Security layer 2: When download is allowed, MIME type comes from server, not URL
-      const { body: buffer, header } = await request
-        .get(root, `/api/files/public/blob/document.pdf?token=${token}`)
-        .set('x-elastic-internal-origin', 'files-test')
-        .buffer()
-        .expect(200);
-
-      // Content-type comes from stored file MIME type, never from URL filename
-      expect(header['content-type']).toEqual('application/pdf');
-      expect(header['content-disposition']).toEqual('attachment; filename=document.pdf');
-      expect(buffer.toString('utf8')).toEqual('PDF content');
     });
   });
 });

src/platform/plugins/shared/files/server/test_utils/setup_integration_environment.ts

@@ -100,7 +100,6 @@ export async function setupIntegrationEnvironment() {
   const testHttpConfig = { requiredPrivileges: ['myapp'] };
   const myFileKind = {
     id: fileKind,
-    // Allow MIME types used in existing tests, so we can test validation with forbidden types
     allowedMimeTypes: [
       'image/png',
       'image/jpeg',