Media Libray: buildInputElement on media library content view does not return the correct form element, bypasses checks

Problem/Motivation

In testing use of the Media Library from the form widget on the Node Edit form, we have discovered that the buildInputElement function used to create the file upload form element is not returning the correct upload element. Notably on an image field, it is returning the standard file_managed_file element rather than the image_widget.

This bypasses the verification of the uploaded files as actual images, resulting in a security issue as it allows any file type to be uploaded as long as the file extension is on the allowed list. These validators such as file_validate_is_image are not called during the entire media entity creation process via Media Library. This allows for potentially problematic files that would otherwise not be able to be uploaded to bypass normal checks.

Secondly this element is hard-coded to have "#multiple" as TRUE even if the source field is limited to one item, allowing multiple files to be uploaded if selected from the system-level file open dialog, as long as they are below the size limit. These files are staged into the sites/files directory, and temporary managed file entities created for them, though no media entities are, only one for the last file uploaded . This allows for "shadow" files to be uploaded for a short time.

Steps to reproduce

1. Add Entity Reference field type onto a node, set to use a media type such as "image"
2. Set to use the "Media Library" form display
3. Create node and add content using the Media Library form.

Proposed resolution

Change buildInputElement to use the correct upload widget, or to inherit properties including validators from the originating widget.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet