fix: file validation bypass by targeting non file input types during customer file upload

[SamJUK]

Description (*)

Currently, we can upload files against any attribute types via the customer file upload controllers.

This is not ideal as, we can target non file based types (Select/Hidden/Text) to bypass the expected validation logic that would take place for a Image/File type.

And as far as I am aware, there is no valid reason to be uploading a file, to non file input types (e.g select / text).

This specific functionality is actively being exploited as part of the Session Reaper (CVE-2025-54236) chain to achieve RCE.
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

This PR restricts the file uploads to only input types that are expected to have file uploads. Whilst leaving the input types configurable to merchants/extension developers via di.xml

Manual testing scenarios (*)

1. Checkout 2.4-develop

2. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a select attribute (country_id)
   Note a success message, and the file is present in the pub/media/customer_address directory

3. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a text attribute (city)
   Note a error message, referencing text based validation error trying to validate a file as a string

4. Checkout this PR

5. Repeat Steps 2 & 3, note a friendly error message stating file uploads are unexpected.

6. Create a image/file based attribute, update the curl command to target that. Upload should succeed.

# ENV Prep
echo "hello-world" > /tmp/hello-world
FORMKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)

# Test post targeting country_id (select type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[country_id]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Test post targeting city (text type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[city]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Confirm the file is uploaded to the media file system
find pub/media/customer_address/ -type f

Before Update	After Update

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @SamJUK. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email [email protected].

[SamJUK]

@magento run all tests

[magento-automated-testing]

Pull Requests are not mergeable to the mainline. Please merge the latest mainlines to your Pull Requests and restart the builds.

[SamJUK]

@magento run all tests

[ssx]

Excellent work @SamJUK! I've got a nearly identical PR locally 😂

[J-Wick4]

Our Virus security alerted us tonight about malware being uploaded to our Magento 2.4.8-p3 patched store.

Here's the file that was uploaded. I have since made a rule to block the path.
https://www.virustotal.com/gui/file/f1049d0883daa1c6355eb86aacb59e10452fabc6ef0ac9691f22a53f3069597a/community