fix: file validation bypass by targeting non file input types during customer file upload (#174)

* fix: prevent customer uploads for non file based metadata types

---------

Co-authored-by: Ryan Hoerr <rhoerr@users.noreply.github.com>

Author: SamJUK

app/code/Magento/Customer/Model/FileUploader.php

@@ -49,6 +49,11 @@ class FileUploader
      */
     private $scope;
 
+    /**
+     * @var string[]
+     */
+    private array $validInputTypes;
+
     /**
      * @param CustomerMetadataInterface $customerMetadataService
      * @param AddressMetadataInterface $addressMetadataService
@@ -57,6 +62,7 @@ class FileUploader
      * @param AttributeMetadataInterface $attributeMetadata
      * @param string $entityTypeCode
      * @param string $scope
+     * @param array|null $validInputTypes
      */
     public function __construct(
         CustomerMetadataInterface $customerMetadataService,
@@ -65,7 +71,8 @@ public function __construct(
         FileProcessorFactory $fileProcessorFactory,
         AttributeMetadataInterface $attributeMetadata,
         $entityTypeCode,
-        $scope
+        $scope,
+        ?array $validInputTypes = ['file', 'image']
     ) {
         $this->customerMetadataService = $customerMetadataService;
         $this->addressMetadataService = $addressMetadataService;
@@ -74,6 +81,7 @@ public function __construct(
         $this->attributeMetadata = $attributeMetadata;
         $this->entityTypeCode = $entityTypeCode;
         $this->scope = $scope;
+        $this->validInputTypes = $validInputTypes;
     }
 
     /**
@@ -83,6 +91,12 @@ public function __construct(
      */
     public function validate()
     {
+        if (!in_array($this->attributeMetadata->getFrontendInput(), $this->validInputTypes)) {
+            return [
+                __('"%1" is not a valid input to accept file uploads.', $this->attributeMetadata->getFrontendInput())
+            ];
+        }
+
         $formElement = $this->elementFactory->create(
             $this->attributeMetadata,
             null,

app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php

@@ -118,10 +118,39 @@ public function testValidate()
             ->with($this->attributeMetadata, null, CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER)
             ->willReturn($formElement);
 
+        $this->attributeMetadata->expects($this->once())
+            ->method('getFrontendInput')
+            ->willReturn('image');
+
         $model = $this->getModel(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER, 'customer');
         $this->assertTrue($model->validate());
     }
 
+    public function testValidateInvalidAttributeType()
+    {
+        $attributeType = 'select';
+        $attributeCode = 'attribute_code';
+        $filename = 'filename.ext1';
+
+        $_FILES = [
+            'customer' => [
+                'name' => [
+                    $attributeCode => $filename,
+                ],
+            ],
+        ];
+
+        $this->attributeMetadata->expects($this->exactly(2))
+            ->method('getFrontendInput')
+            ->willReturn($attributeType);
+
+        $model = $this->getModel(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER, 'customer');
+        $expectedErrors = [
+            __('"%1" is not a valid input to accept file uploads.', $attributeType)
+        ];
+        $this->assertEquals($expectedErrors, $model->validate());
+    }
+
     public function testUpload()
     {
         $attributeCode = 'attribute_code';

app/code/Magento/Customer/etc/di.xml

@@ -604,4 +604,12 @@
             <argument name="indexerId" xsi:type="string">customer_grid</argument>
         </arguments>
     </virtualType>
+    <type name="Magento\Customer\Model\FileUploader">
+        <arguments>
+            <argument name="validInputTypes" xsi:type="array">
+                <item name="file" xsi:type="string">file</item>
+                <item name="image" xsi:type="string">image</item>
+            </argument>
+        </arguments>
+    </type>
 </config>