Skip to content

Commit 70c8e8d

Browse files
nchauletnchaulet
authored
[7.17] [Fleet] Improve file content type validation (elastic#234551) (elastic#235805)
# Backport This will backport the following commits from `main` to `7.17`: - [[Fleet] Improve file content type validation (elastic#234551)](elastic#234551) <!--- Backport version: 10.0.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Nicolas Chaulet","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-12T06:54:00Z","message":"[Fleet] Improve file content type validation (elastic#234551)","sha":"0c5ab7ec467579bbe9c1feb5007efa811487db11","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","backport:all-open","v9.2.0","v9.1.4","v9.0.7","v8.18.7","v8.19.4"],"title":"[Fleet] Improve file content type validation","number":234551,"url":"https://github.com/elastic/kibana/pull/234551","mergeCommit":{"message":"[Fleet] Improve file content type validation (elastic#234551)","sha":"0c5ab7ec467579bbe9c1feb5007efa811487db11"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234551","number":234551,"mergeCommit":{"message":"[Fleet] Improve file content type validation (elastic#234551)","sha":"0c5ab7ec467579bbe9c1feb5007efa811487db11"}},{"branch":"9.1","label":"v9.1.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234858","number":234858,"state":"MERGED","mergeCommit":{"sha":"58abbcd799dc93168958a20fcfedc49bf8d5f14a","message":"[9.1] [Fleet] Improve file content type validation (elastic#234551) (elastic#234858)\n\n# Backport\n\nThis will backport the following commits from `main` to `9.1`:\n- [[Fleet] Improve file content type validation\n(elastic#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Nicolas Chaulet <[email protected]>"}},{"branch":"9.0","label":"v9.0.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234857","number":234857,"state":"MERGED","mergeCommit":{"sha":"194402574ce86aaa05cc273586b3f58dec2f84dc","message":"[9.0] [Fleet] Improve file content type validation (elastic#234551) (elastic#234857)\n\n# Backport\n\nThis will backport the following commits from `main` to `9.0`:\n- [[Fleet] Improve file content type validation\n(elastic#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Nicolas Chaulet <[email protected]>"}},{"branch":"8.18","label":"v8.18.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234855","number":234855,"state":"MERGED","mergeCommit":{"sha":"27b7abcc4c7c8c1b41156fc5de72289e8e114956","message":"[8.18] [Fleet] Improve file content type validation (elastic#234551) (elastic#234855)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.18`:\n- [[Fleet] Improve file content type validation\n(elastic#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Nicolas Chaulet <[email protected]>"}},{"branch":"8.19","label":"v8.19.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/234856","number":234856,"state":"MERGED","mergeCommit":{"sha":"59d4f3aab5abd4028170f611dd268147f69e0992","message":"[8.19] [Fleet] Improve file content type validation (elastic#234551) (elastic#234856)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.19`:\n- [[Fleet] Improve file content type validation\n(elastic#234551)](https://github.com/elastic/kibana/pull/234551)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Nicolas Chaulet <[email protected]>"}}]}] BACKPORT-->
1 parent 4f08ef0 commit 70c8e8d

File tree

1 file changed

+32
-1
lines changed

1 file changed

+32
-1
lines changed

x-pack/plugins/fleet/server/routes/epm/handlers.ts

Lines changed: 32 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,14 +50,39 @@ import {
5050
getInstallation,
5151
} from '../../services/epm/packages';
5252
import type { BulkInstallResponse } from '../../services/epm/packages';
53-
import { defaultIngestErrorHandler, ingestErrorToResponseOptions } from '../../errors';
53+
import {
54+
defaultIngestErrorHandler,
55+
ingestErrorToResponseOptions,
56+
IngestManagerError,
57+
} from '../../errors';
5458
import { splitPkgKey } from '../../services/epm/registry';
5559
import { licenseService } from '../../services';
5660
import { getArchiveEntry } from '../../services/epm/archive/cache';
5761
import { getAsset } from '../../services/epm/archive/storage';
5862
import { getPackageUsageStats } from '../../services/epm/packages/get';
5963
import { updatePackage } from '../../services/epm/packages/update';
6064

65+
const ALLOWED_MIME_TYPES = [
66+
'image/svg+xml',
67+
'image/jpeg',
68+
'image/png',
69+
'image/gif',
70+
'application/json',
71+
'application/yaml',
72+
'text/plain',
73+
'text/markdown',
74+
'text/yaml',
75+
];
76+
77+
function validateContentTypeIsAllowed(contentType: string) {
78+
if (!ALLOWED_MIME_TYPES.includes(contentType.split(';')[0])) {
79+
throw new IngestManagerError(
80+
`File content type "${contentType}" is not allowed to be retrieved`,
81+
400
82+
);
83+
}
84+
}
85+
6186
export const getCategoriesHandler: FleetRequestHandler<
6287
undefined,
6388
TypeOf<typeof GetCategoriesRequestSchema.query>
@@ -152,6 +177,7 @@ export const getFileHandler: FleetRequestHandler<
152177
statusCode: 400,
153178
});
154179
}
180+
validateContentTypeIsAllowed(contentType);
155181

156182
return response.custom({
157183
body: buffer,
@@ -172,6 +198,11 @@ export const getFileHandler: FleetRequestHandler<
172198
return headers;
173199
}, {} as ResponseHeaders);
174200

201+
if (!proxiedHeaders['content-type'] || typeof proxiedHeaders['content-type'] !== 'string') {
202+
throw new IngestManagerError(`unknown content type for file: ${filePath}`);
203+
}
204+
validateContentTypeIsAllowed(proxiedHeaders['content-type']);
205+
175206
return response.custom({
176207
body: registryResponse.body,
177208
statusCode: registryResponse.status,

0 commit comments

Comments
 (0)