[7.17] [Fleet] Improve file content type validation (#234551) (#235805)

# Backport

This will backport the following commits from `main` to `7.17`:
- [[Fleet] Improve file content type validation
(#234551)](#234551)

<!--- Backport version: 10.0.2 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Nicolas
Chaulet","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-12T06:54:00Z","message":"[Fleet]
Improve file content type validation
(#234551)","sha":"0c5ab7ec467579bbe9c1feb5007efa811487db11","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","backport:all-open","v9.2.0","v9.1.4","v9.0.7","v8.18.7","v8.19.4"],"title":"[Fleet]
Improve file content type
validation","number":234551,"url":"https://github.com/elastic/kibana/pull/234551","mergeCommit":{"message":"[Fleet]
Improve file content type validation
(#234551)","sha":"0c5ab7ec467579bbe9c1feb5007efa811487db11"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234551","number":234551,"mergeCommit":{"message":"[Fleet]
Improve file content type validation
(#234551)","sha":"0c5ab7ec467579bbe9c1feb5007efa811487db11"}},{"branch":"9.1","label":"v9.1.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234858","number":234858,"state":"MERGED","mergeCommit":{"sha":"58abbcd799dc93168958a20fcfedc49bf8d5f14a","message":"[9.1]
[Fleet] Improve file content type validation (#234551) (#234858)\n\n#
Backport\n\nThis will backport the following commits from `main` to
`9.1`:\n- [[Fleet] Improve file content type
validation\n(#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by:
Nicolas Chaulet
<[email protected]>"}},{"branch":"9.0","label":"v9.0.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234857","number":234857,"state":"MERGED","mergeCommit":{"sha":"194402574ce86aaa05cc273586b3f58dec2f84dc","message":"[9.0]
[Fleet] Improve file content type validation (#234551) (#234857)\n\n#
Backport\n\nThis will backport the following commits from `main` to
`9.0`:\n- [[Fleet] Improve file content type
validation\n(#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by:
Nicolas Chaulet
<[email protected]>"}},{"branch":"8.18","label":"v8.18.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234855","number":234855,"state":"MERGED","mergeCommit":{"sha":"27b7abcc4c7c8c1b41156fc5de72289e8e114956","message":"[8.18]
[Fleet] Improve file content type validation (#234551) (#234855)\n\n#
Backport\n\nThis will backport the following commits from `main` to
`8.18`:\n- [[Fleet] Improve file content type
validation\n(#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by:
Nicolas Chaulet
<[email protected]>"}},{"branch":"8.19","label":"v8.19.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234856","number":234856,"state":"MERGED","mergeCommit":{"sha":"59d4f3aab5abd4028170f611dd268147f69e0992","message":"[8.19]
[Fleet] Improve file content type validation (#234551) (#234856)\n\n#
Backport\n\nThis will backport the following commits from `main` to
`8.19`:\n- [[Fleet] Improve file content type
validation\n(#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by:
Nicolas Chaulet <[email protected]>"}}]}] BACKPORT-->

Author: nchaulet

x-pack/plugins/fleet/server/routes/epm/handlers.ts

@@ -50,14 +50,39 @@ import {
   getInstallation,
 } from '../../services/epm/packages';
 import type { BulkInstallResponse } from '../../services/epm/packages';
-import { defaultIngestErrorHandler, ingestErrorToResponseOptions } from '../../errors';
+import {
+  defaultIngestErrorHandler,
+  ingestErrorToResponseOptions,
+  IngestManagerError,
+} from '../../errors';
 import { splitPkgKey } from '../../services/epm/registry';
 import { licenseService } from '../../services';
 import { getArchiveEntry } from '../../services/epm/archive/cache';
 import { getAsset } from '../../services/epm/archive/storage';
 import { getPackageUsageStats } from '../../services/epm/packages/get';
 import { updatePackage } from '../../services/epm/packages/update';
 
+const ALLOWED_MIME_TYPES = [
+  'image/svg+xml',
+  'image/jpeg',
+  'image/png',
+  'image/gif',
+  'application/json',
+  'application/yaml',
+  'text/plain',
+  'text/markdown',
+  'text/yaml',
+];
+
+function validateContentTypeIsAllowed(contentType: string) {
+  if (!ALLOWED_MIME_TYPES.includes(contentType.split(';')[0])) {
+    throw new IngestManagerError(
+      `File content type "${contentType}" is not allowed to be retrieved`,
+      400
+    );
+  }
+}
+
 export const getCategoriesHandler: FleetRequestHandler<
   undefined,
   TypeOf<typeof GetCategoriesRequestSchema.query>
@@ -152,6 +177,7 @@ export const getFileHandler: FleetRequestHandler<
           statusCode: 400,
         });
       }
+      validateContentTypeIsAllowed(contentType);
 
       return response.custom({
         body: buffer,
@@ -172,6 +198,11 @@ export const getFileHandler: FleetRequestHandler<
         return headers;
       }, {} as ResponseHeaders);
 
+      if (!proxiedHeaders['content-type'] || typeof proxiedHeaders['content-type'] !== 'string') {
+        throw new IngestManagerError(`unknown content type for file: ${filePath}`);
+      }
+      validateContentTypeIsAllowed(proxiedHeaders['content-type']);
+
       return response.custom({
         body: registryResponse.body,
         statusCode: registryResponse.status,