fix: file validation bypass by targeting non file input types during customer file upload

[SamJUK]

Applies proposed upstream changes in magento/magento2#40262

Description (*)

Currently you can bypass file validation logic within the customer upload controllers, by uploading arbitrary files against non file input type attributes (Select/Hidden/Text etc).

And as far as I am aware, there is no valid reason to be uploading a file, to non file input types (e.g select / text).

This specific functionality is actively being exploited as part of the Session Reaper (CVE-2025-54236) chain to achieve RCE.
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

This PR restricts the file uploads to only input types that are expected to have file uploads. Whilst leaving the input types configurable to merchants/extension developers via di.xml

Related Pull Requests

magento/magento2#40262

Manual testing scenarios (*)

1. Checkout 2.4-develop

2. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a select attribute (country_id)
   Note a success message, and the file is present in the pub/media/customer_address directory

3. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a text attribute (city)
   Note a error message, referencing text based validation error trying to validate a file as a string

4. Checkout this PR

5. Repeat Steps 2 & 3, note a friendly error message stating file uploads are unexpected.

6. Create a image/file based attribute, update the curl command to target that. Upload should succeed.

# ENV Prep
echo "hello-world" > /tmp/hello-world
FORMKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)

# Test post targeting country_id (select type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[country_id]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Test post targeting city (text type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[city]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Confirm the file is uploaded to the media file system
find pub/media/customer_address/ -type f

Before Patch	After Patch

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[rhoerr]

Thank you @SamJUK. I need to review in more depth, but first pass looks good. I'm thinking we merge this and a fix for the SRI hash issue (when it's available) and push it as 2.0.1.