Add support to restrict @Core.AcceptableMediaTypes

[samyuktaprabhu]

Add Support to Restrict @Core.AcceptableMediaTypes

✨ New Features

Introduced support for restricting allowed MIME types for attachments using the @Core.AcceptableMediaTypes annotation. This feature enables validation of file types during upload at HandlerOrder.BEFORE, ensuring only specified media types are accepted before processing begins.

🔧 Changes

Core Implementation

• CreateAttachmentsHandler.java: Added new @Before handler method processBeforeForMetadata that validates acceptable media types early in the request lifecycle using CdsRuntime dependency. Updated constructor to accept CdsRuntime parameter for metadata validation support.
• AttachmentValidationHelper.java (new): Created comprehensive helper class for media type validation with extensive MIME type mapping (70+ common formats including images, documents, videos, fonts). Implements validation logic with support for wildcard patterns (image/*) and default fallback behavior (*/*).
• MediaTypeResolver.java (new): Extracts acceptable media types from CDS entity annotations, handling both direct media entities and composed attachments.
• MediaTypeService.java (new): Provides MIME type resolution from file extensions and validates against acceptable media types, supporting exact matches and wildcard patterns.
• FileNameValidator.java (new): Validates file name format, ensuring files have proper extensions before MIME type validation.
• AttachmentDataExtractor.java (new): Extracts file names from attachment data, validating presence of required file name fields.
• Registration.java: Updated handler registration to pass CdsRuntime instance to CreateAttachmentsHandler.
• ApplicationHandlerHelper.java: Added deepSearchForAttachments() method to recursively check for attachment compositions in entity hierarchies.
• DraftCancelAttachmentsHandler.java: Refactored to use shared deepSearchForAttachments() method from ApplicationHandlerHelper.

Documentation

• README.md: Added comprehensive documentation for the @Core.AcceptableMediaTypes annotation, including:
  • Examples of exact matches (image/jpeg, image/png)
  • Wildcard patterns (image/*)
  • Default behavior (*/*)
  • Usage scenarios for both single and multiple media types

Test Suite

• CreateAttachmentsHandlerTest.java: Added tests for new metadata validation handler
• AttachmentValidationHelperTest.java (new): Comprehensive test suite with 16+ test cases covering MIME type detection, validation, wildcards, error scenarios, and edge cases (including hidden files like .gitignore)
• MediaTypeResolverTest.java (new): Tests for media type extraction from entity annotations
• MediaTypeServiceTest.java (new): Tests for MIME type resolution and validation logic
• FileNameValidatorTest.java (new): Tests for file name format validation
• AttachmentDataExtractorTest.java (new): Tests for file name extraction from attachment data
• MediaValidatedAttachmentsDraftTest.java (new): Integration tests for draft service media validation with parameterized tests for various file types
• MediaValidatedAttachmentsNonDraftTest.java (new): Integration tests for non-draft service media validation, including deep create scenarios
• ApplicationHandlerHelperTest.java: Updated test imports
• SizeLimitedAttachmentsSizeValidationDraftTest.java: Added file name assignments to test cases
• SizeLimitedAttachmentValidationNonDraftTest.java: Added file name assignments to test cases

Integration Test Configuration

• data-model.cds: Added mediaValidatedAttachments and mimeValidatedAttachments compositions to Roots entity
• test-service.cds: Configured annotations to accept only JPEG and PNG images for mediaValidatedAttachments, and PDFs for mimeValidatedAttachments
• RootEntityBuilder.java: Enhanced builder to support media-validated attachments with proper initialization

Sample Application

• samples/bookshop/srv/attachments.cds:
  • Added mediaValidatedAttachments and attachments2 compositions to Books entity
  • Configured mediaValidatedAttachments to accept only JPEG and PNG images
  • Configured attachments2 to accept only PDF files
  • Updated UI facets to display mediaValidatedAttachments in the Administrator App
  • Added new non-draft service for testing purposes

• 🔄 Regenerate and Update Summary

---

📬 Subscribe to the Hyperspace PR Bot DL to get the latest announcements and pilot features!

PR Bot Information

Version: 1.17.73 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

• Event Trigger: pull_request.edited
• Summary Prompt: Default Prompt
• LLM: anthropic--claude-4.5-sonnet
• Output Template: Default Template
• Correlation ID: b90175b0-126a-11f1-8fb8-2c3dc5f1e257

[hyperspace-insights]

The PR adds media type restriction support for attachments. I've identified a few issues: a typo in MIME type definitions (application/txt should be text/plain), potential security concerns with filename validation (missing path traversal checks), and a minor note about null handling. Overall the implementation is reasonable but needs these corrections before merging.

PR Bot Information

Version: 1.17.53 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

• Event Trigger: pull_request.opened
• LLM: anthropic--claude-4.5-sonnet
• Correlation ID: 78c854a0-0757-11f1-833c-299ee35f3dc8

[hyperspace-insights]

---

Summary

The pull request introduces MIME type validation for attachments with good test coverage. However, several null safety issues were identified in the validation logic that could lead to NullPointerException errors. Additionally, a minor CDS syntax inconsistency and a misleading test variable name should be addressed.

PR Bot Information

Version: 1.17.61 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

• Event Trigger: issue_comment.created
• Correlation ID: b7b79080-0bdb-11f1-9b97-78cdc3653ab1
• LLM: anthropic--claude-4.5-sonnet

[Schmarvinius]

Unit-Tests:

• AttachmentCalidationHelperTest:
  • Add a test for wildcard subtype rejection like image/* should reject application/pdf
  • Add a test for files start with . like .gitignore or .ssh or .zshrc and so on

Integration-Tests:

• MediaCalidatedAttachmentsDraftTest:
  • Add a test for false inputs like an empty string. You have them for non draft but not for draft.
  • Add tests for situations where it fails like upload a pdf when only jpeg or image/* is allowed
    • Also one for dotfiles
• MediaValidatedAttachmentsNonDraftTest:
  • Add a test for case sensitivity in the extension
  • Add a test for no extension
  • Add a test for hidden files again

[hyperspace-insights]

Summary

This PR introduces MIME type validation for attachments with generally solid implementation. I've identified 9 substantive issues requiring attention:

• Critical: Missing file extension validation in MediaTypeService.resolveMimeType() could cause runtime errors
• Important: Inconsistent filename validation between extractor and validator creates confusing error paths
• Security consideration: FileNameValidator doesn't check for path traversal characters (e.g., ../, null bytes)
• Several performance and code quality improvements around duplicate constants, inefficient stream operations, and wildcard matching logic

The test coverage is comprehensive, and the feature design is well-thought-out. Address the validation and error-handling gaps before merging.

PR Bot Information

Version: 1.17.72 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

• LLM: anthropic--claude-4.5-sonnet
• Event Trigger: issue_comment.created
• Correlation ID: a7941f80-1242-11f1-91ae-db28216a7610