fix(uploads): allowlist Content-Type on serve paths — defense-in-depth against stored-XSS (#3729) (#3732)

* fix(uploads): allowlist Content-Type on serve paths to prevent stored-XSS (#3729)

Defense-in-depth backstop: the download handler now validates the stored
content-type against SAFE_MIME (get) / SAFE_IMAGE_MIME (getSharp) before
echoing it, falling back to application/octet-stream / image/jpeg respectively.
Adds Content-Disposition: attachment on the private download path.
Covers both req.upload.contentType and req.upload.metadata.contentType.
15 new unit tests assert safe MIMEs pass through and dangerous ones are
downgraded.

* fix(uploads): normalize MIME before allowlist check + harden pipe mocks + expand getSharp coverage

- Add normalizeMime() helper: lowercase + strip ; params
- Apply normalizeMime() in both get and getSharp before allowlist lookup
- Add @returns JSDoc to getSharp per repo guideline
- Fix stream.pipe mock in makeStream() to return dest (chained pipe support)
- Fix sharp().pipe mock to return dest (stream.pipe(transform).pipe(res) chain)
- Remove per-test stream.pipe overrides (centralized in makeStream)
- Add getSharp tests: metadata.contentType safe/dangerous, missing fallback,
  uppercase MIME, MIME-with-params normalization
- Add get tests: uppercase MIME, MIME-with-params normalization

Addresses all Copilot review threads on PR #3732.

Author: PierreBrisorgueil

modules/uploads/controllers/uploads.controller.js

@@ -9,6 +9,27 @@ import errors from '../../../lib/helpers/errors.js';
 import responses from '../../../lib/helpers/responses.js';
 import UploadsService from '../services/uploads.service.js';
 
+/**
+ * Allowlisted MIME types for private download (get).
+ * Defense-in-depth: prevents stored-XSS when a downstream kind permits a dangerous MIME.
+ */
+const SAFE_MIME = new Set(['image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'image/webp', 'application/pdf']);
+
+/**
+ * Allowlisted MIME types for public image serving (getSharp).
+ * Restricted to image types — the sharp pipeline only handles images.
+ */
+const SAFE_IMAGE_MIME = new Set(['image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'image/webp']);
+
+/**
+ * Normalize a raw Content-Type value for safe allowlist comparison.
+ * MIME types are case-insensitive and may include parameters (e.g. `image/jpeg; charset=binary`).
+ * Strip any `;` parameter segment, lowercase, and trim before checking the allowlist.
+ * @param {string} raw - Raw content-type string.
+ * @returns {string} Normalized MIME type (e.g. `image/jpeg`).
+ */
+const normalizeMime = (raw) => String(raw).toLowerCase().split(';')[0].trim();
+
 /**
  * @desc Endpoint to get an upload by fileName
  * @param {Object} req - Express request object
@@ -21,8 +42,11 @@ const get = async (req, res) => {
     stream.on('error', (err) => {
       responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))(err);
     });
-    const contentType = req.upload.contentType || req.upload.metadata?.contentType || 'application/octet-stream';
+    const raw = req.upload.contentType || req.upload.metadata?.contentType || 'application/octet-stream';
+    const norm = normalizeMime(raw);
+    const contentType = SAFE_MIME.has(norm) ? norm : 'application/octet-stream';
     res.set('Content-Type', contentType);
+    res.set('Content-Disposition', 'attachment');
     if (req.upload.length) res.set('Content-Length', req.upload.length);
     stream.pipe(res);
   } catch (err) {
@@ -34,6 +58,7 @@ const get = async (req, res) => {
  * @desc Endpoint to get an upload by fileName with sharp options
  * @param {Object} req - Express request object
  * @param {Object} res - Express response object
+ * @returns {Promise<void>} Resolves when the image stream has been piped to the response.
  */
 const getSharp = async (req, res) => {
   try {
@@ -42,7 +67,9 @@ const getSharp = async (req, res) => {
     stream.on('error', (err) => {
       responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))(err);
     });
-    const contentType = req.upload.contentType || req.upload.metadata?.contentType || 'application/octet-stream';
+    const raw = req.upload.contentType || req.upload.metadata?.contentType || 'application/octet-stream';
+    const norm = normalizeMime(raw);
+    const contentType = SAFE_IMAGE_MIME.has(norm) ? norm : 'image/jpeg';
     res.set('Content-Type', contentType);
     switch (req.sharpOption) {
       case 'blur':