fix: validate MCP attachment formats and align media allowlist#1541
Open
bsantosh909 wants to merge 1 commit into
Open
fix: validate MCP attachment formats and align media allowlist#1541bsantosh909 wants to merge 1 commit into
bsantosh909 wants to merge 1 commit into
Conversation
Reject non-mp4 / non-image attachment URLs in the MCP integrationSchedulePostTool (previously accepted any URL). Introduce a single ALLOWED_POST_MEDIA source of truth in helpers/has.extension and derive VALID_POST_MEDIA_EXTENSIONS + VALID_POST_MEDIA_MIME_TYPES from it, replacing duplicated constants in the file upload pipe, the public-api URL upload controller, and the ValidUrlExtension DTO validator. Error messages now consistently list the allowed extensions across the public API and MCP.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
nevo-david
reviewed
May 21, 2026
| !!text?.split?.('?')?.[0].endsWith('.webp') || | ||
| !!text?.split?.('?')?.[0].endsWith('.mp4') | ||
| ); | ||
| const path = text?.split?.('?')?.[0]?.toLowerCase?.(); |
Contributor
There was a problem hiding this comment.
let's add here also split for ['#'] on 0
| ), | ||
| attachments: z | ||
| .array(z.string()) | ||
| .describe('The image of the post (URLS)'), |
Contributor
There was a problem hiding this comment.
Do you think it's possible to add the validation here? I think zod allows for custom schema check
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix + small refactor (no behavior change on the web flow).
Why was this change needed?
The MCP
integrationSchedulePostToolaccepted any attachment URL —including
.mov,.exe,.pdf, etc. — and forwarded them to postcreation with no format check, while the public API enforced an
mp4-only / image allowlist. This closes that gap and consolidates the
allowed-media list into a single source of truth so the file-upload
pipe, the URL DTO validator, the public-API URL controller and the
MCP attachment guard can no longer drift apart.
Other information:
ALLOWED_POST_MEDIAis now defined once inlibraries/helpers/src/utils/has.extension.tsand drives bothVALID_POST_MEDIA_EXTENSIONS(used byValidUrlExtensionand theMCP attachment check via
isValidPostMediaUrl) andVALID_POST_MEDIA_MIME_TYPES(used byCustomFileValidationPipeand the
/public/v1/upload-from-urlcontroller).image/avif,image/bmp,image/tiffare no longer accepted by/public/v1/upload. Theywere never accepted by
/upload-from-url(rejected at the DTOlevel by
ValidUrlExtension), so file uploads in those formatscould be stored but never used downstream — this removes the
half-working surface.
png/jpg/jpeg/gif/webpclient-side and uses Transloadit totranscode non-mp4 videos to mp4 before reaching the API.
/public/v1/upload,/public/v1/upload-from-url, and the MCPintegrationSchedulePostToolwith.mp4/.mov/.exe/.pdf/.pngpayloads.Checklist: