Add support to restrict @Core.AcceptableMediaTypes

[samyuktaprabhu]

Add Support to Restrict @Core.AcceptableMediaTypes

New Features

✨ Introduced validation for acceptable media types in attachment uploads using the @Core.AcceptableMediaTypes annotation, enabling applications to restrict file types for enhanced security and consistency.

Changes

• AttachmentValidationHelper.java: New validation helper class that determines file MIME types and validates them against allowed media types. Includes fallback to default MIME type application/octet-stream when type cannot be detected. Maps common file extensions to their respective MIME types and supports wildcard patterns for flexible type matching.

• ModifyApplicationHandlerHelper.java: Enhanced attachment processing to validate media types before upload. Added methods to extract acceptable media types from entity annotations (getEntityAcceptableMediaTypes) and retrieve filenames from attachments or path values (getFileName). Integrated validation into the attachment handling workflow to ensure MIME type compliance.

• AttachmentValidationHelperTest.java: Comprehensive test suite for media type validation including edge cases for unknown extensions, uppercase extensions, and wildcard type support. Tests cover scenarios with various MIME types, default fallback behavior, and error handling for invalid or restricted file types.

• ModifyApplicationHandlerHelperTest.java: Tests for filename retrieval and acceptable media types extraction from entity annotations. Validates behavior when filenames are missing or retrieved from different sources, and ensures proper handling of annotation-based media type restrictions.

• Test Files: Updated test infrastructure across multiple files to support new validation scenarios:

  • CreateAttachmentsHandlerTest.java & UpdateAttachmentsHandlerTest.java: Added filename validation to ensure all attachment entities specify a filename
  • DraftPatchAttachmentsHandlerTest.java: Updated to include filename in test attachments
  • AcceptedMediaTypesAttachmentsValidationDraftTest.java & AcceptedMediaTypesAttachmentsValidationNonDraftTest.java: New integration tests verifying media type validation in both draft and non-draft scenarios

• CDS Models:

  • data-model.cds: Added mediaValidatedAttachments composition to the Roots entity for testing media type validation
  • test-service.cds & attachments.cds: Configured @Core.AcceptableMediaTypes annotation to restrict uploads to image/jpeg and image/png only

• Documentation:

  • README.md: Added new section "Restrict allowed MIME types" with examples showing how to use @Core.AcceptableMediaTypes annotation, including wildcard patterns and default behavior

• Helper Classes:

  • RootEntityBuilder.java: Added helper method to build entities with media-validated attachments
  • OdataRequestValidationBase.java & DraftOdataRequestValidationBase.java: Code formatting improvements

• 🔄 Regenerate and Update Summary

[hyperspace-insights]

Summary

I've reviewed the pull request implementing @Core.AcceptableMediaTypes restriction support for attachments. The implementation includes validation logic, annotation processing, and comprehensive test coverage.

Key Issues Identified:

1. Logic Error: The filename validation incorrectly rejects common patterns like archive.tar.gz or my.document.v2.pdf by requiring exactly one dot
2. Bug: Case-insensitive comparison missing for acceptable media types—uppercase types in configuration won't match
3. Performance: ObjectMapper instantiated repeatedly instead of being reused
4. Typo: Development comment left in production code

The architectural approach is sound, with proper separation between validation logic, annotation processing, and handler integration. Test coverage appears thorough across both draft and non-draft scenarios.

PR Bot Information

Version: 1.17.29 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

• Correlation ID: 72739fa0-f6e1-11f0-8f4f-1fcf26d4251d
• Event Trigger: pull_request.opened
• LLM: anthropic--claude-4.5-sonnet

[hyperspace-insights]

Summary

The pull request adds MIME type validation for attachments using @Core.AcceptableMediaTypes annotation. I identified 4 substantive issues:

1. Typo: Incorrect MIME type application/txt should be text/plain for .txt/.lst files
2. Logic Error: Wildcard matching uses startsWith() which allows unintended matches like "application-custom/xml" matching "application/*"
3. Typo: Missing space in CDS import statement (fromcom.sap...should befrom com.sap...)
4. Bug: Potential ArrayIndexOutOfBoundsException if MIME type doesn't contain "/" when splitting for wildcard comparison

The most critical is the wildcard matching logic error, which could allow unauthorized file types to bypass validation. The incorrect text/plain MIME type could also cause legitimate uploads to fail validation.

PR Bot Information

Version: 1.17.30 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

• Event Trigger: issue_comment.created
• LLM: anthropic--claude-4.5-sonnet
• Correlation ID: 69c8f670-f7b3-11f0-9744-1ffc39f47963