[Files Service] Additional validation for mime-type allowances (elastic#234828)

## Summary

Summarize your PR. If it involves visual changes include a screenshot or
gif.

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~~
- ~~[ ] The PR description includes the appropriate Release Notes
section, and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)~~
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit cf5e970)

# Conflicts:
#	src/platform/plugins/shared/files/server/routes/file_kind/create.ts
#	src/platform/plugins/shared/files/server/routes/file_kind/helpers.ts
#	src/platform/plugins/shared/files/server/routes/integration_tests/routes.test.ts
#	src/platform/plugins/shared/files/server/routes/public_facing/download.ts
#	src/platform/plugins/shared/files/tsconfig.json

Author: tsullivan

src/platform/plugins/shared/files/server/routes/common.test.ts

@@ -8,43 +8,29 @@
  */
 
 import type { File } from '../file';
-import { getDownloadHeadersForFile } from './common';
+import { getFileHttpResponseOptions } from './common';
 
 describe('getDownloadHeadersForFile', () => {
-  function expectHeaders({ contentType }: { contentType: string }) {
+  function expectResult({ contentType }: { contentType: string }) {
     return {
-      'content-type': contentType,
-      'cache-control': 'max-age=31536000, immutable',
+      fileContentType: contentType,
+      headers: {
+        'cache-control': 'max-age=31536000, immutable',
+      },
     };
   }
 
   const file = { data: { name: 'test', mimeType: undefined } } as unknown as File;
-  test('no mime type and name from file object', () => {
-    expect(getDownloadHeadersForFile({ file, fileName: undefined })).toEqual(
-      expectHeaders({ contentType: 'application/octet-stream' })
+  test('no mime type', () => {
+    expect(getFileHttpResponseOptions(file)).toEqual(
+      expectResult({ contentType: 'application/octet-stream' })
     );
   });
 
-  test('no mime type and name (without ext)', () => {
-    expect(getDownloadHeadersForFile({ file, fileName: 'myfile' })).toEqual(
-      expectHeaders({ contentType: 'application/octet-stream' })
-    );
-  });
-  test('no mime type and name (with ext)', () => {
-    expect(getDownloadHeadersForFile({ file, fileName: 'myfile.png' })).toEqual(
-      expectHeaders({ contentType: 'image/png' })
-    );
-  });
-  test('mime type and no name', () => {
-    const fileWithMime = { data: { ...file.data, mimeType: 'application/pdf' } } as File;
-    expect(getDownloadHeadersForFile({ file: fileWithMime, fileName: undefined })).toEqual(
-      expectHeaders({ contentType: 'application/pdf' })
-    );
-  });
-  test('mime type and name', () => {
+  test('mime type', () => {
     const fileWithMime = { data: { ...file.data, mimeType: 'application/pdf' } } as File;
-    expect(getDownloadHeadersForFile({ file: fileWithMime, fileName: 'a cool file.pdf' })).toEqual(
-      expectHeaders({ contentType: 'application/pdf' })
+    expect(getFileHttpResponseOptions(fileWithMime)).toEqual(
+      expectResult({ contentType: 'application/pdf' })
     );
   });
 });

src/platform/plugins/shared/files/server/routes/common.ts

@@ -7,20 +7,16 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import mime from 'mime';
-import type { ResponseHeaders } from '@kbn/core/server';
+import type { Readable } from 'stream';
+import type { FileHttpResponseOptions } from '@kbn/core-http-server';
 import type { File } from '../../common/types';
 
-interface Args {
-  file: File;
-  fileName?: string;
-}
-
-export function getDownloadHeadersForFile({ file, fileName }: Args): ResponseHeaders {
+export function getFileHttpResponseOptions(
+  file: File
+): Pick<FileHttpResponseOptions<Readable>, 'headers' | 'fileContentType'> {
   return {
-    'content-type':
-      (fileName && mime.getType(fileName)) ?? file.data.mimeType ?? 'application/octet-stream',
-    'cache-control': 'max-age=31536000, immutable',
+    fileContentType: file.data.mimeType ?? 'application/octet-stream',
+    headers: { 'cache-control': 'max-age=31536000, immutable' },
   };
 }
 

src/platform/plugins/shared/files/server/routes/file_kind/create.ts

@@ -13,7 +13,8 @@ import type { FileJSON, FileKind } from '../../../common/types';
 import { CreateRouteDefinition, FILES_API_ROUTES } from '../api_routes';
 import type { FileKindRouter } from './types';
 import * as commonSchemas from '../common_schemas';
-import { CreateHandler } from './types';
+import { validateMimeType } from './helpers';
+import type { CreateHandler } from './types';
 
 export const method = 'post' as const;
 
@@ -32,25 +33,33 @@ export type Endpoint<M = unknown> = CreateRouteDefinition<
   FilesClient['create']
 >;
 
-export const handler: CreateHandler<Endpoint> = async ({ core, fileKind, files }, req, res) => {
-  const [{ security }, { fileService }] = await Promise.all([core, files]);
-  const {
-    body: { name, alt, meta, mimeType },
-  } = req;
-  const user = security.authc.getCurrentUser();
-  const file = await fileService.asCurrentUser().create({
-    fileKind,
-    name,
-    alt,
-    meta,
-    user: user ? { name: user.username, id: user.profile_uid } : undefined,
-    mime: mimeType,
-  });
-  const body: Endpoint['output'] = {
-    file: file.toJSON(),
+const createHandler =
+  (fileKindDefinition: FileKind): CreateHandler<Endpoint> =>
+  async ({ core, fileKind, files }, req, res) => {
+    const [{ security }, { fileService }] = await Promise.all([core, files]);
+    const {
+      body: { name, alt, meta, mimeType },
+    } = req;
+    const user = security.authc.getCurrentUser();
+
+    const invalidResponse = validateMimeType(mimeType, fileKindDefinition);
+    if (invalidResponse) {
+      return invalidResponse;
+    }
+
+    const file = await fileService.asCurrentUser().create({
+      fileKind,
+      name,
+      alt,
+      meta,
+      user: user ? { name: user.username, id: user.profile_uid } : undefined,
+      mime: mimeType,
+    });
+    const body: Endpoint['output'] = {
+      file: file.toJSON(),
+    };
+    return res.ok({ body });
   };
-  return res.ok({ body });
-};
 
 export function register(fileKindRouter: FileKindRouter, fileKind: FileKind) {
   if (fileKind.http.create) {
@@ -66,7 +75,7 @@ export function register(fileKindRouter: FileKindRouter, fileKind: FileKind) {
           },
         },
       },
-      handler
+      createHandler(fileKind)
     );
   }
 }

src/platform/plugins/shared/files/server/routes/file_kind/download.ts

@@ -13,8 +13,8 @@ import type { FilesClient } from '../../../common/files_client';
 import type { FileKind } from '../../../common/types';
 import { fileNameWithExt } from '../common_schemas';
 import { fileErrors } from '../../file';
-import { getDownloadHeadersForFile, getDownloadedFileName } from '../common';
-import { getById } from './helpers';
+import { getFileHttpResponseOptions, getDownloadedFileName } from '../common';
+import { getById, validateFileNameExtension } from './helpers';
 import type { CreateHandler, FileKindRouter } from './types';
 import { CreateRouteDefinition, FILES_API_ROUTES } from '../api_routes';
 
@@ -36,14 +36,23 @@ export const handler: CreateHandler<Endpoint> = async ({ files, fileKind }, req,
   const {
     params: { id, fileName },
   } = req;
+
   const { error, result: file } = await getById(fileService.asCurrentUser(), id, fileKind);
   if (error) return error;
+
   try {
+    const invalidExtensionResponse = validateFileNameExtension(fileName, file);
+    if (invalidExtensionResponse) {
+      return invalidExtensionResponse;
+    }
+
     const body: Response = await file.downloadContent();
+    const fileHttpResponseOptions = getFileHttpResponseOptions(file);
+
     return res.file({
       body,
       filename: fileName ?? getDownloadedFileName(file),
-      headers: getDownloadHeadersForFile({ file, fileName }),
+      ...fileHttpResponseOptions,
     });
   } catch (e) {
     if (e instanceof fileErrors.NoDownloadAvailableError) {

src/platform/plugins/shared/files/server/routes/file_kind/helpers.test.ts

@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { IKibanaResponse } from '@kbn/core/server';
+import type { File, FileJSON, FileKind } from '../../../common';
+import { validateFileNameExtension, validateMimeType } from './helpers';
+
+describe('helpers', () => {
+  describe('validateMimeType', () => {
+    const createFileKind = (allowedMimeTypes?: string[]): FileKind => ({
+      id: 'test-file-kind',
+      allowedMimeTypes,
+      http: {
+        create: { requiredPrivileges: [] },
+        download: { requiredPrivileges: [] },
+      },
+    });
+
+    it('should return undefined when fileKind has empty allowedMimeTypes array', () => {
+      const fileKind = createFileKind([]);
+      const result = validateMimeType('image/png', fileKind);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when mimeType is in allowedMimeTypes', () => {
+      const fileKind = createFileKind(['image/png', 'image/jpeg']);
+      const result = validateMimeType('image/png', fileKind);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return bad request response when mimeType is not in allowedMimeTypes', () => {
+      const fileKind = createFileKind(['image/png', 'image/jpeg']);
+      const result = validateMimeType('application/pdf', fileKind);
+
+      expect(result).toBeDefined();
+      expect((result as IKibanaResponse).status).toBe(400);
+      expect((result as IKibanaResponse).payload).toEqual({
+        message: 'File type is not supported',
+      });
+    });
+
+    it('should be case sensitive for mime type validation', () => {
+      const fileKind = createFileKind(['image/png']);
+      const result = validateMimeType('Image/PNG', fileKind);
+
+      expect(result).toBeDefined();
+      expect((result as IKibanaResponse).status).toBe(400);
+    });
+  });
+
+  describe('validateFileNameExtension', () => {
+    const createFile = (mimeType?: string) =>
+      ({
+        id: 'test-file',
+        data: {
+          id: 'test-file',
+          name: 'test-file',
+          mimeType,
+          extension: 'txt',
+          fileKind: 'test',
+        } as FileJSON,
+      } as File);
+
+    it('should return undefined when fileName is undefined', () => {
+      const file = createFile('image/png');
+      const result = validateFileNameExtension(undefined, file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when file is undefined', () => {
+      const result = validateFileNameExtension('test.png', undefined);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when file has no mimeType', () => {
+      const file = createFile();
+      const result = validateFileNameExtension('test.png', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when fileName has no extension', () => {
+      const file = createFile('text/plain');
+      const result = validateFileNameExtension('README', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should return undefined when extension matches expected extension', () => {
+      const file = createFile('image/png');
+      const result = validateFileNameExtension('image.png', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should handle mime types with no known extensions', () => {
+      const file = createFile('application/x-custom-type');
+      const result = validateFileNameExtension('file.custom', file);
+
+      // Should return undefined since there are no expected extensions for this mime type
+      expect(result).toBeUndefined();
+    });
+
+    it('should handle file names with special characters', () => {
+      const file = createFile('text/plain');
+
+      expect(validateFileNameExtension('[email protected]', file)).toBeUndefined();
+      expect(validateFileNameExtension('файл.txt', file)).toBeUndefined(); // Unicode filename
+      expect(validateFileNameExtension('file with spaces.txt', file)).toBeUndefined();
+    });
+
+    it('should trim whitespace from mime type before validation', () => {
+      const file = createFile('  text/plain  ');
+      const result = validateFileNameExtension('test.txt', file);
+      expect(result).toBeUndefined();
+    });
+
+    it('should be case insensitive for file extensions', () => {
+      const file = createFile('image/png');
+
+      expect(validateFileNameExtension('image.PNG', file)).toBeUndefined();
+      expect(validateFileNameExtension('image.Png', file)).toBeUndefined();
+      expect(validateFileNameExtension('image.pNG', file)).toBeUndefined();
+    });
+
+    it('should return bad request when extension does not match mime type', () => {
+      const file = createFile('image/png');
+      const result = validateFileNameExtension('document.pdf', file);
+
+      expect(result).toBeDefined();
+      expect((result as IKibanaResponse).status).toBe(400);
+      expect((result as IKibanaResponse).payload).toEqual({
+        message: 'File extension does not match file type',
+      });
+    });
+  });
+});