Skip to content

feat(security): add MIME type restrictions for resources (US-2) #3847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
crivetimihai merged 1 commit into from
Apr 3, 2026
Merged

feat(security): add MIME type restrictions for resources (US-2) #3847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ ALLOW_PUBLIC_VISIBILITY=true
# The 100.64.0.0/10 range is Carrier-Grade NAT (CGNAT) which some cloud providers use

# -----------------------------------------------------------------------------
# Content Security - Size Limits
# Content Security - Size Limits and MIME Type Restrictions (US-2)
# -----------------------------------------------------------------------------
# Maximum content sizes (in bytes) to prevent DoS attacks via large uploads

Expand All @@ -110,6 +110,19 @@ ALLOW_PUBLIC_VISIBILITY=true
# Prompts exceeding this limit will be rejected with 413 Payload Too Large
# CONTENT_MAX_PROMPT_SIZE=10240

# Allowed MIME types for resources (JSON array or comma-separated list)
# In strict mode, only MIME types explicitly listed here are accepted.
# Vendor types (application/x-*, text/x-*) and suffix types (+json, +xml) must be
# explicitly added to this list if needed - they are NOT automatically allowed.
# Default: text/plain,text/markdown,text/html,text/csv,application/json,application/xml,application/pdf,...
# Both formats are accepted:
# CONTENT_ALLOWED_RESOURCE_MIMETYPES=["text/plain","text/markdown","application/json"]
# CONTENT_ALLOWED_RESOURCE_MIMETYPES=text/plain,text/markdown,application/json

# Enable strict MIME type validation for resources (default: false)
# Set to true to reject disallowed MIME types; false logs violations without blocking
# CONTENT_STRICT_MIME_VALIDATION=false

# =============================================================================
# Project defaults (batteries-included overrides)
# =============================================================================
Expand Down
80 changes: 40 additions & 40 deletions .secrets.baseline
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"files": "package-lock.json|Cargo.lock|^.secrets.baseline$|scripts/sign_image.sh|scripts/zap|sonar-project.properties|^/Users/brian/dev/github.ibm.com/contextforge-org/sps-pipeline-config/.secrets.baseline$|^./.secrets.baseline$",
"lines": null
},
"generated_at": "2026-04-03T10:38:44Z",
"generated_at": "2026-04-03T11:21:02Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
Expand Down Expand Up @@ -92,87 +92,87 @@
"hashed_secret": "08cd923367890009657eab812753379bdb321eeb",
"is_secret": false,
"is_verified": false,
"line_number": 509,
"line_number": 522,
"type": "Basic Auth Credentials",
"verified_result": null
},
{
"hashed_secret": "14f8aa3e560a47851908ab0f04ec856dbc512d93",
"is_secret": false,
"is_verified": false,
"line_number": 704,
"line_number": 717,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
"is_secret": false,
"is_verified": false,
"line_number": 964,
"line_number": 977,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "7b4455a56fbf1d198e45e04c437488514645a82c",
"is_secret": false,
"is_verified": false,
"line_number": 990,
"line_number": 1003,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "ac371b6dcce28a86c90d12bc57d946a800eebf17",
"is_secret": false,
"is_verified": false,
"line_number": 1070,
"line_number": 1083,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "0b6ec68df700dec4dcd64babd0eda1edccddace1",
"is_secret": false,
"is_verified": false,
"line_number": 1075,
"line_number": 1088,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "4ad6f0082ee224001beb3ca5c3e81c8ceea5ed86",
"is_secret": false,
"is_verified": false,
"line_number": 1080,
"line_number": 1093,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "cb32747fcfb55eaa194c8cd8e4ba7d49ada08a94",
"is_secret": false,
"is_verified": false,
"line_number": 1086,
"line_number": 1099,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "6c178d51b13520496dbc767ed3d9d7aa5803ac72",
"is_secret": false,
"is_verified": false,
"line_number": 1098,
"line_number": 1111,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "ca45060a53fd8a255d1a83ee8d2f025283ccc66e",
"is_secret": false,
"is_verified": false,
"line_number": 1116,
"line_number": 1129,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "910fbf00f58e9bcb095ea26a75cc1d9a3355e671",
"is_secret": false,
"is_verified": false,
"line_number": 1177,
"line_number": 1190,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -1828,7 +1828,7 @@
"hashed_secret": "e689846dfc65621eeab3a906bb8b0ddd52f5c514",
"is_secret": false,
"is_verified": false,
"line_number": 130,
"line_number": 158,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -5110,7 +5110,7 @@
"hashed_secret": "85b60d811d16ff56b3654587d4487f713bfa33b7",
"is_secret": false,
"is_verified": false,
"line_number": 14931,
"line_number": 14976,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -5752,15 +5752,15 @@
"hashed_secret": "9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684",
"is_secret": false,
"is_verified": false,
"line_number": 221,
"line_number": 222,
"type": "Basic Auth Credentials",
"verified_result": null
},
{
"hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
"is_secret": false,
"is_verified": false,
"line_number": 2140,
"line_number": 2169,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -6082,7 +6082,7 @@
"hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
"is_secret": false,
"is_verified": false,
"line_number": 3290,
"line_number": 3404,
"type": "Hex High Entropy String",
"verified_result": null
}
Expand Down Expand Up @@ -7380,7 +7380,7 @@
"hashed_secret": "ba9cdae9b74942b8ac45ec20dfc3803a07fe6de9",
"is_secret": false,
"is_verified": false,
"line_number": 58,
"line_number": 61,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -9854,23 +9854,23 @@
"hashed_secret": "b0beaa298b4c296ba29df08b919548d17e68d6c8",
"is_secret": false,
"is_verified": false,
"line_number": 3496,
"line_number": 4017,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
"is_secret": false,
"is_verified": false,
"line_number": 3511,
"line_number": 4032,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
"is_secret": false,
"is_verified": false,
"line_number": 4203,
"line_number": 4724,
"type": "Hex High Entropy String",
"verified_result": null
}
Expand Down Expand Up @@ -10212,119 +10212,119 @@
"hashed_secret": "206c80413b9a96c1312cc346b7d2517b84463edd",
"is_secret": false,
"is_verified": false,
"line_number": 1600,
"line_number": 1604,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "5cbd0bf2db07a8f50fa9bbcc5ac720b1911c6380",
"is_secret": false,
"is_verified": false,
"line_number": 1772,
"line_number": 1776,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "a10b98d7340036e9c8c301704f623eddd733cc1a",
"is_secret": false,
"is_verified": false,
"line_number": 2736,
"line_number": 2781,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f",
"is_secret": false,
"is_verified": false,
"line_number": 5148,
"line_number": 5189,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "fe1bae27cb7c1fb823f496f286e78f1d2ae87734",
"is_secret": false,
"is_verified": false,
"line_number": 5795,
"line_number": 5842,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "2878cbdbbcfa6feafc04b8889f5ecc8c470ba32e",
"is_secret": false,
"is_verified": false,
"line_number": 5859,
"line_number": 5906,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "a0281cd072cea8e80e7866b05dc124815760b6c9",
"is_secret": false,
"is_verified": false,
"line_number": 6111,
"line_number": 6158,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "a0f4ea7d91495df92bbac2e2149dfb850fe81396",
"is_secret": false,
"is_verified": false,
"line_number": 9086,
"line_number": 9140,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "a75a7c7b31474f3f04f3a395228ded8d61ee1ae3",
"is_secret": false,
"is_verified": false,
"line_number": 9135,
"line_number": 9189,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "02c593fd9af8254b859d426a76b6cd42847fbec1",
"is_secret": false,
"is_verified": false,
"line_number": 9174,
"line_number": 9228,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "1ded3053d0363079a4e681a3b700435d6d880290",
"is_secret": false,
"is_verified": false,
"line_number": 9231,
"line_number": 9285,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "c00dbbc9dadfbe1e232e93a729dd4752fade0abf",
"is_secret": false,
"is_verified": false,
"line_number": 14001,
"line_number": 14058,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
"is_secret": false,
"is_verified": false,
"line_number": 16758,
"line_number": 16815,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "a4b48a81cdab1e1a5dd37907d6c85ca1c61ddc7c",
"is_secret": false,
"is_verified": false,
"line_number": 16777,
"line_number": 16834,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "dc8002865f92070749b264e76045b04fa3b8de71",
"is_secret": false,
"is_verified": false,
"line_number": 20332,
"line_number": 20389,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down Expand Up @@ -10698,23 +10698,23 @@
"hashed_secret": "cd024c09e5784e941e833bd8fabf1dcfc3fb6cd8",
"is_secret": false,
"is_verified": false,
"line_number": 53,
"line_number": 54,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
"is_secret": false,
"is_verified": false,
"line_number": 137,
"line_number": 138,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "a10b98d7340036e9c8c301704f623eddd733cc1a",
"is_secret": false,
"is_verified": false,
"line_number": 150,
"line_number": 151,
"type": "Hex High Entropy String",
"verified_result": null
}
Expand All @@ -10724,7 +10724,7 @@
"hashed_secret": "cd024c09e5784e941e833bd8fabf1dcfc3fb6cd8",
"is_secret": false,
"is_verified": false,
"line_number": 30,
"line_number": 35,
"type": "Secret Keyword",
"verified_result": null
}
Expand Down
Loading
Loading