[Files Service] Additional validation for mime-type allowances

src/platform/plugins/shared/files/server/routes/common.test.ts

@@ -30,21 +30,35 @@ describe('getDownloadHeadersForFile', () => {
       expectHeaders({ contentType: 'application/octet-stream' })
     );
   });
-  test('no mime type and name (with ext)', () => {
+
+  test('no mime type and name (with ext) - secure: ignores filename extension', () => {
     expect(getDownloadHeadersForFile({ file, fileName: 'myfile.png' })).toEqual(
-      expectHeaders({ contentType: 'image/png' })
+      expectHeaders({ contentType: 'application/octet-stream' })
     );
   });
+
   test('mime type and no name', () => {
     const fileWithMime = { data: { ...file.data, mimeType: 'application/pdf' } } as File;
     expect(getDownloadHeadersForFile({ file: fileWithMime, fileName: undefined })).toEqual(
       expectHeaders({ contentType: 'application/pdf' })
     );
   });
-  test('mime type and name', () => {
+
+  test('mime type and name - secure: uses stored mime type, ignores filename', () => {
     const fileWithMime = { data: { ...file.data, mimeType: 'application/pdf' } } as File;
-    expect(getDownloadHeadersForFile({ file: fileWithMime, fileName: 'a cool file.pdf' })).toEqual(
+    expect(getDownloadHeadersForFile({ file: fileWithMime, fileName: 'malicious.html' })).toEqual(
       expectHeaders({ contentType: 'application/pdf' })
     );
   });
+
+  test('security: prevents MIME type manipulation via filename extension', () => {
+    // Scenario: Attacker uploads legitimate file but tries to serve it as HTML for XSS
+    const imageFile = { data: { ...file.data, mimeType: 'image/png' } } as File;
+
+    // Attacker tries to download with .html extension to trigger XSS
+    const result = getDownloadHeadersForFile({ file: imageFile, fileName: 'script.html' });
+
+    // Security fix: Should use stored MIME type, NOT filename extension
+    expect(result['content-type']).toBe('image/png'); // NOT text/html!
+  });
 });

src/platform/plugins/shared/files/server/routes/common.ts

@@ -7,7 +7,6 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import mime from 'mime';
 import type { ResponseHeaders } from '@kbn/core/server';
 import type { File } from '../../common/types';
 
@@ -18,8 +17,7 @@ interface Args {
 
 export function getDownloadHeadersForFile({ file, fileName }: Args): ResponseHeaders {
   return {
-    'content-type':
-      (fileName && mime.getType(fileName)) ?? file.data.mimeType ?? 'application/octet-stream',
+    'content-type': file.data.mimeType ?? 'application/octet-stream',
     'cache-control': 'max-age=31536000, immutable',
   };
 }

src/platform/plugins/shared/files/server/routes/file_kind/create.ts

@@ -14,6 +14,7 @@ import type { CreateRouteDefinition } from '../api_routes';
 import { FILES_API_ROUTES } from '../api_routes';
 import type { FileKindRouter } from './types';
 import * as commonSchemas from '../common_schemas';
+import { validateMimeType } from './helpers';
 import type { CreateHandler } from './types';
 
 export const method = 'post' as const;
@@ -33,25 +34,33 @@ export type Endpoint<M = unknown> = CreateRouteDefinition<
   FilesClient['create']
 >;
 
-export const handler: CreateHandler<Endpoint> = async ({ core, fileKind, files }, req, res) => {
-  const [{ security }, { fileService }] = await Promise.all([core, files]);
-  const {
-    body: { name, alt, meta, mimeType },
-  } = req;
-  const user = security.authc.getCurrentUser();
-  const file = await fileService.asCurrentUser().create({
-    fileKind,
-    name,
-    alt,
-    meta,
-    user: user ? { name: user.username, id: user.profile_uid } : undefined,
-    mime: mimeType,
-  });
-  const body: Endpoint['output'] = {
-    file: file.toJSON(),
+const createHandler =
+  (fileKindDefinition: FileKind): CreateHandler<Endpoint> =>
+  async ({ core, fileKind, files }, req, res) => {
+    const [{ security }, { fileService }] = await Promise.all([core, files]);
+    const {
+      body: { name, alt, meta, mimeType },
+    } = req;
+    const user = security.authc.getCurrentUser();
+
+    const invalidResponse = validateMimeType(mimeType, fileKindDefinition);
+    if (invalidResponse) {
+      return invalidResponse;
+    }
+
+    const file = await fileService.asCurrentUser().create({
+      fileKind,
+      name,
+      alt,
+      meta,
+      user: user ? { name: user.username, id: user.profile_uid } : undefined,
+      mime: mimeType,
+    });
+    const body: Endpoint['output'] = {
+      file: file.toJSON(),
+    };
+    return res.ok({ body });
   };
-  return res.ok({ body });
-};
 
 export function register(fileKindRouter: FileKindRouter, fileKind: FileKind) {
   if (fileKind.http.create) {
@@ -67,7 +76,7 @@ export function register(fileKindRouter: FileKindRouter, fileKind: FileKind) {
           },
         },
       },
-      handler
+      createHandler(fileKind)
     );
   }
 }

src/platform/plugins/shared/files/server/routes/file_kind/download.ts

@@ -14,7 +14,7 @@ import type { FileKind } from '../../../common/types';
 import { fileNameWithExt } from '../common_schemas';
 import { fileErrors } from '../../file';
 import { getDownloadHeadersForFile, getDownloadedFileName } from '../common';
-import { getById } from './helpers';
+import { getById, validateFileNameExtension } from './helpers';
 import type { CreateHandler, FileKindRouter } from './types';
 import type { CreateRouteDefinition } from '../api_routes';
 import { FILES_API_ROUTES } from '../api_routes';
@@ -37,9 +37,16 @@ export const handler: CreateHandler<Endpoint> = async ({ files, fileKind }, req,
   const {
     params: { id, fileName },
   } = req;
+
   const { error, result: file } = await getById(fileService.asCurrentUser(), id, fileKind);
   if (error) return error;
+
   try {
+    const invalidExtensionResponse = validateFileNameExtension(fileName, file);
+    if (invalidExtensionResponse) {
+      return invalidExtensionResponse;
+    }
+
     const body: Response = await file.downloadContent();
     return res.file({
       body,

src/platform/plugins/shared/files/server/routes/file_kind/helpers.test.ts

@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { IKibanaResponse } from '@kbn/core/server';
+import type { File, FileJSON, FileKind } from '../../../common';
+import { validateFileNameExtension, validateMimeType } from './helpers';
+
+describe('helpers', () => {
+  describe('validateMimeType', () => {
+    const createFileKind = (allowedMimeTypes?: string[]): FileKind => ({
+      id: 'test-file-kind',
+      allowedMimeTypes,
+      http: {
+        create: { requiredPrivileges: [] },
+        download: { requiredPrivileges: [] },
+      },
+    });
+
+    it('should return undefined when fileKind has empty allowedMimeTypes array', () => {
+      const fileKind = createFileKind([]);
+      const result = validateMimeType('image/png', fileKind);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when mimeType is in allowedMimeTypes', () => {
+      const fileKind = createFileKind(['image/png', 'image/jpeg']);
+      const result = validateMimeType('image/png', fileKind);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return bad request response when mimeType is not in allowedMimeTypes', () => {
+      const fileKind = createFileKind(['image/png', 'image/jpeg']);
+      const result = validateMimeType('application/pdf', fileKind);
+
+      expect(result).toBeDefined();
+      expect((result as IKibanaResponse).status).toBe(400);
+      expect((result as IKibanaResponse).payload).toEqual({
+        message: 'File type is not supported',
+      });
+    });
+
+    it('should be case sensitive for mime type validation', () => {
+      const fileKind = createFileKind(['image/png']);
+      const result = validateMimeType('Image/PNG', fileKind);
+
+      expect(result).toBeDefined();
+      expect((result as IKibanaResponse).status).toBe(400);
+    });
+  });
+
+  describe('validateFileNameExtension', () => {
+    const createFile = (mimeType?: string) =>
+      ({
+        id: 'test-file',
+        data: {
+          id: 'test-file',
+          name: 'test-file',
+          mimeType,
+          extension: 'txt',
+          fileKind: 'test',
+        } as FileJSON,
+      } as File);
+
+    it('should return undefined when fileName is undefined', () => {
+      const file = createFile('image/png');
+      const result = validateFileNameExtension(undefined, file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when file is undefined', () => {
+      const result = validateFileNameExtension('test.png', undefined);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when file has no mimeType', () => {
+      const file = createFile();
+      const result = validateFileNameExtension('test.png', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when fileName has no extension', () => {
+      const file = createFile('text/plain');
+      const result = validateFileNameExtension('README', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when extension matches expected extension', () => {
+      const file = createFile('image/png');
+      const result = validateFileNameExtension('image.png', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should handle mime types with no known extensions', () => {
+      const file = createFile('application/x-custom-type');
+      const result = validateFileNameExtension('file.custom', file);
+
+      // Should return undefined since there are no expected extensions for this mime type
+      expect(result).toBeUndefined();
+    });
+
+    it('should handle file names with special characters', () => {
+      const file = createFile('text/plain');
+
+      expect(validateFileNameExtension('[email protected]', file)).toBeUndefined();
+      expect(validateFileNameExtension('файл.txt', file)).toBeUndefined(); // Unicode filename
+      expect(validateFileNameExtension('file with spaces.txt', file)).toBeUndefined();
+    });
+
+    it('should trim whitespace from mime type before validation', () => {
+      const file = createFile('  text/plain  ');
+      const result = validateFileNameExtension('test.txt', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should be case insensitive for file extensions', () => {
+      const file = createFile('image/png');
+
+      expect(validateFileNameExtension('image.PNG', file)).toBeUndefined();
+      expect(validateFileNameExtension('image.Png', file)).toBeUndefined();
+      expect(validateFileNameExtension('image.pNG', file)).toBeUndefined();
+    });
+
+    it('should return bad request when extension does not match mime type', () => {
+      const file = createFile('image/png');
+      const result = validateFileNameExtension('document.pdf', file);
+
+      expect(result).toBeDefined();
+      expect((result as IKibanaResponse).status).toBe(400);
+      expect((result as IKibanaResponse).payload).toEqual({
+        message: 'File extension does not match file type',
+      });
+    });
+  });
+});

src/platform/plugins/shared/files/server/routes/file_kind/helpers.ts

@@ -9,7 +9,8 @@
 
 import type { IKibanaResponse } from '@kbn/core/server';
 import { kibanaResponseFactory } from '@kbn/core/server';
-import type { File } from '../../../common';
+import mimeTypes from 'mime-types';
+import type { File, FileKind } from '../../../common';
 import type { FileServiceStart } from '../../file_service';
 import { errors } from '../../file_service';
 
@@ -40,3 +41,73 @@ export async function getById(
 
   return { result };
 }
+
+/**
+ * Validate file kind restrictions on a provided MIME type
+ * @param mimeType The MIME type to validate
+ * @param fileKind The file kind definition that may contain restrictions
+ * @returns `undefined` if the MIME type is valid or there are no restrictions.
+ */
+export function validateMimeType(
+  mimeType: string | undefined,
+  fileKind: FileKind | undefined
+): undefined | IKibanaResponse {
+  if (!mimeType || !fileKind) {
+    return;
+  }
+
+  const allowedMimeTypes = fileKind.allowedMimeTypes;
+
+  if (!allowedMimeTypes || allowedMimeTypes.length === 0) {
+    return;
+  }
+
+  if (!allowedMimeTypes.includes(mimeType)) {
+    return kibanaResponseFactory.badRequest({
+      body: {
+        message: `File type is not supported`,
+      },
+    });
+  }
+}
+
+/**
+ * Validate file name extension matches the file's MIME type
+ * @param fileName The file name to validate
+ * @param file
+ * @returns `undefined` if the extension matches the MIME type or if no MIME type is provided.
+ */
+export function validateFileNameExtension(
+  fileName: string | undefined,
+  file: File | undefined
+): undefined | IKibanaResponse {
+  if (!fileName || !file || !file.data.mimeType) {
+    return;
+  }
+
+  const fileMimeType = file.data.mimeType.trim();
+  if (!fileMimeType) {
+    return;
+  }
+
+  // Extract file extension (handle cases with multiple dots)
+  const lastDotIndex = fileName.lastIndexOf('.');
+  if (lastDotIndex === -1) {
+    // No extension found - this might be intentional for some file types
+    return;
+  }
+
+  const fileExtension = fileName.substring(lastDotIndex + 1).toLowerCase();
+  if (!fileExtension) {
+    return;
+  }
+
+  const expectedExtensions = mimeTypes.extensions[fileMimeType];
+  if (expectedExtensions && !expectedExtensions.includes(fileExtension)) {
+    return kibanaResponseFactory.badRequest({
+      body: {
+        message: `File extension does not match file type`,
+      },
+    });
+  }
+}