From 1690a880740f8d278f1170545f271fb7d06dd545 Mon Sep 17 00:00:00 2001
From: Sam James <sam@samdjames.uk>
Date: Sat, 1 Nov 2025 09:07:50 +0000
Subject: [PATCH 1/2] fix: prevent customer uploads for non file based metadata
 types

---
 .../Magento/Customer/Model/FileUploader.php   | 16 +++++++++-
 .../Test/Unit/Model/FileUploaderTest.php      | 30 +++++++++++++++++++
 app/code/Magento/Customer/etc/di.xml          |  8 +++++
 3 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/app/code/Magento/Customer/Model/FileUploader.php b/app/code/Magento/Customer/Model/FileUploader.php
index 3bbdf22cc20a..df7c215873c6 100644
--- a/app/code/Magento/Customer/Model/FileUploader.php
+++ b/app/code/Magento/Customer/Model/FileUploader.php
@@ -49,6 +49,11 @@ class FileUploader
      */
     private $scope;
 
+    /**
+     * @var string[]
+     */
+    private array $validInputTypes;
+
     /**
      * @param CustomerMetadataInterface $customerMetadataService
      * @param AddressMetadataInterface $addressMetadataService
@@ -57,6 +62,7 @@ class FileUploader
      * @param AttributeMetadataInterface $attributeMetadata
      * @param string $entityTypeCode
      * @param string $scope
+     * @param array|null $validInputTypes
      */
     public function __construct(
         CustomerMetadataInterface $customerMetadataService,
@@ -65,7 +71,8 @@ public function __construct(
         FileProcessorFactory $fileProcessorFactory,
         AttributeMetadataInterface $attributeMetadata,
         $entityTypeCode,
-        $scope
+        $scope,
+        ?array $validInputTypes = ['file', 'image']
     ) {
         $this->customerMetadataService = $customerMetadataService;
         $this->addressMetadataService = $addressMetadataService;
@@ -74,6 +81,7 @@ public function __construct(
         $this->attributeMetadata = $attributeMetadata;
         $this->entityTypeCode = $entityTypeCode;
         $this->scope = $scope;
+        $this->validInputTypes = $validInputTypes;
     }
 
     /**
@@ -83,6 +91,12 @@ public function __construct(
      */
     public function validate()
     {
+        if (!in_array($this->attributeMetadata->getFrontendInput(), $this->validInputTypes)) {
+            return [
+                __('"%1" is not a valid input to accept file uploads.', $this->attributeMetadata->getFrontendInput())
+            ];
+        }
+
         $formElement = $this->elementFactory->create(
             $this->attributeMetadata,
             null,
diff --git a/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php b/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php
index 621aad793d29..32609fb93ca3 100644
--- a/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php
+++ b/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php
@@ -16,6 +16,7 @@
 use Magento\Customer\Model\FileUploader;
 use Magento\Customer\Model\Metadata\ElementFactory;
 use Magento\Customer\Model\Metadata\Form\Image;
+use Magento\Customer\Model\Metadata\Form\Select;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
@@ -118,10 +119,39 @@ public function testValidate()
             ->with($this->attributeMetadata, null, CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER)
             ->willReturn($formElement);
 
+        $this->attributeMetadata->expects($this->once())
+            ->method('getFrontendInput')
+            ->willReturn('image');
+
         $model = $this->getModel(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER, 'customer');
         $this->assertTrue($model->validate());
     }
 
+    public function testValidateInvalidAttributeType()
+    {
+        $attributeType = 'select';
+        $attributeCode = 'attribute_code';
+        $filename = 'filename.ext1';
+
+        $_FILES = [
+            'customer' => [
+                'name' => [
+                    $attributeCode => $filename,
+                ],
+            ],
+        ];
+
+        $this->attributeMetadata->expects($this->exactly(2))
+            ->method('getFrontendInput')
+            ->willReturn($attributeType);
+
+        $model = $this->getModel(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER, 'customer');
+        $expectedErrors = [
+            __('"%1" is not a valid input to accept file uploads.', $attributeType)
+        ];
+        $this->assertEquals($expectedErrors, $model->validate());
+    }
+
     public function testUpload()
     {
         $attributeCode = 'attribute_code';
diff --git a/app/code/Magento/Customer/etc/di.xml b/app/code/Magento/Customer/etc/di.xml
index 14f612c7ae4f..f5a2a9f26047 100644
--- a/app/code/Magento/Customer/etc/di.xml
+++ b/app/code/Magento/Customer/etc/di.xml
@@ -604,4 +604,12 @@
             <argument name="indexerId" xsi:type="string">customer_grid</argument>
         </arguments>
     </virtualType>
+    <type name="Magento\Customer\Model\FileUploader">
+        <arguments>
+            <argument name="validInputTypes" xsi:type="array">
+                <item name="file" xsi:type="string">file</item>
+                <item name="image" xsi:type="string">image</item>
+            </argument>
+        </arguments>
+    </type>
 </config>

From fccfda068c3e4787174d0d30747d8c83ccab0d26 Mon Sep 17 00:00:00 2001
From: Ryan Hoerr <rhoerr@users.noreply.github.com>
Date: Fri, 7 Nov 2025 20:05:26 -0500
Subject: [PATCH 2/2] Remove unused Select import in FileUploaderTest

---
 app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php b/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php
index 32609fb93ca3..cfb0c6ebe55b 100644
--- a/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php
+++ b/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php
@@ -16,7 +16,6 @@
 use Magento\Customer\Model\FileUploader;
 use Magento\Customer\Model\Metadata\ElementFactory;
 use Magento\Customer\Model\Metadata\Form\Image;
-use Magento\Customer\Model\Metadata\Form\Select;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;