fix(api): accept MIME types with parameters or whitespace (CS-217)

File upload endpoints were rejecting valid Content-Type values like
`application/pdf;charset=utf-8` or `application/pdf\n` with a 400
"Invalid MIME type format" error, because each DTO enforced the regex
/^[a-zA-Z0-9\-]+\/[a-zA-Z0-9\-\+\.]+$/ with no trim or parameter strip.

Extracts a shared `IsMimeTypeField` decorator (+ `normalizeMimeType`
helper) that:
- strips RFC 7231 media-type parameters (`;charset=...`) and whitespace
- lowercases the value before validation and persistence
- matches the RFC 6838 restricted-name-chars grammar

Applied to all four upload DTOs:
- attachments/upload-attachment.dto.ts
- tasks/dto/upload-attachment.dto.ts
- task-management/dto/upload-task-item-attachment.dto.ts
- org-chart/dto/upload-org-chart.dto.ts

Also removes dead `BLOCKED_MIME_TYPES` constants from two DTOs — the
actual blocklist lives in `attachments.service.ts` and operates on
the already-lowercased fileType.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tofikwest

apps/api/src/attachments/upload-attachment.dto.ts

@@ -6,25 +6,8 @@ import {
   IsOptional,
   IsString,
   MaxLength,
-  Matches,
 } from 'class-validator';
-
-// Block dangerous MIME types that could execute code
-const BLOCKED_MIME_TYPES = [
-  'application/x-msdownload', // .exe
-  'application/x-msdos-program',
-  'application/x-executable',
-  'application/x-sh', // Shell scripts
-  'application/x-bat', // Batch files
-  'text/x-sh',
-  'text/x-python',
-  'text/x-perl',
-  'text/x-ruby',
-  'application/x-httpd-php', // PHP files
-  'application/x-javascript', // Executable JS (not JSON)
-  'application/javascript',
-  'text/javascript',
-];
+import { IsMimeTypeField } from '../utils/mime-type.validator';
 
 export class UploadAttachmentDto {
   @ApiProperty({
@@ -42,11 +25,7 @@ export class UploadAttachmentDto {
     description: 'MIME type of the file',
     example: 'application/pdf',
   })
-  @IsString()
-  @IsNotEmpty()
-  @Matches(/^[a-zA-Z0-9\-]+\/[a-zA-Z0-9\-\+\.]+$/, {
-    message: 'Invalid MIME type format',
-  })
+  @IsMimeTypeField()
   fileType: string;
 
   @ApiProperty({

apps/api/src/org-chart/dto/upload-org-chart.dto.ts

@@ -1,5 +1,6 @@
-import { IsNotEmpty, IsString, Matches } from 'class-validator';
+import { IsNotEmpty, IsString } from 'class-validator';
 import { ApiProperty } from '@nestjs/swagger';
+import { IsMimeTypeField } from '../../utils/mime-type.validator';
 
 export class UploadOrgChartDto {
   @ApiProperty({ description: 'Original file name' })
@@ -8,11 +9,7 @@ export class UploadOrgChartDto {
   fileName: string;
 
   @ApiProperty({ description: 'MIME type of the file (e.g. image/png)' })
-  @IsString()
-  @IsNotEmpty()
-  @Matches(/^[a-zA-Z0-9\-]+\/[a-zA-Z0-9\-\+\.]+$/, {
-    message: 'Invalid MIME type format',
-  })
+  @IsMimeTypeField()
   fileType: string;
 
   @ApiProperty({ description: 'Base64-encoded file data' })

apps/api/src/task-management/dto/upload-task-item-attachment.dto.ts

@@ -3,13 +3,12 @@ import { Transform } from 'class-transformer';
 import {
   IsBase64,
   IsNotEmpty,
-  IsOptional,
   IsString,
   MaxLength,
-  Matches,
   IsEnum,
 } from 'class-validator';
 import { TaskItemEntityType } from '@db';
+import { IsMimeTypeField } from '../../utils/mime-type.validator';
 
 export class UploadTaskItemAttachmentDto {
   @ApiProperty({
@@ -27,11 +26,7 @@ export class UploadTaskItemAttachmentDto {
     description: 'MIME type of the file',
     example: 'application/pdf',
   })
-  @IsString()
-  @IsNotEmpty()
-  @Matches(/^[a-zA-Z0-9\-]+\/[a-zA-Z0-9\-\+\.]+$/, {
-    message: 'Invalid MIME type format',
-  })
+  @IsMimeTypeField()
   fileType: string;
 
   @ApiProperty({

apps/api/src/tasks/dto/upload-attachment.dto.ts

@@ -6,25 +6,8 @@ import {
   IsOptional,
   IsString,
   MaxLength,
-  Matches,
 } from 'class-validator';
-
-// Block dangerous MIME types that could execute code
-const BLOCKED_MIME_TYPES = [
-  'application/x-msdownload', // .exe
-  'application/x-msdos-program',
-  'application/x-executable',
-  'application/x-sh', // Shell scripts
-  'application/x-bat', // Batch files
-  'text/x-sh',
-  'text/x-python',
-  'text/x-perl',
-  'text/x-ruby',
-  'application/x-httpd-php', // PHP files
-  'application/x-javascript', // Executable JS (not JSON)
-  'application/javascript',
-  'text/javascript',
-];
+import { IsMimeTypeField } from '../../utils/mime-type.validator';
 
 export class UploadAttachmentDto {
   @ApiProperty({
@@ -42,11 +25,7 @@ export class UploadAttachmentDto {
     description: 'MIME type of the file',
     example: 'application/pdf',
   })
-  @IsString()
-  @IsNotEmpty()
-  @Matches(/^[a-zA-Z0-9\-]+\/[a-zA-Z0-9\-\+\.]+$/, {
-    message: 'Invalid MIME type format',
-  })
+  @IsMimeTypeField()
   fileType: string;
 
   @ApiProperty({

apps/api/src/utils/mime-type.validator.spec.ts

@@ -0,0 +1,126 @@
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { IsMimeTypeField, normalizeMimeType } from './mime-type.validator';
+
+class TestDto {
+  @IsMimeTypeField()
+  fileType!: string;
+}
+
+const expectValid = async (input: unknown, expectedNormalized: string) => {
+  const instance = plainToInstance(TestDto, { fileType: input });
+  const errors = await validate(instance);
+  expect(errors).toEqual([]);
+  expect(instance.fileType).toBe(expectedNormalized);
+};
+
+const expectInvalid = async (input: unknown) => {
+  const instance = plainToInstance(TestDto, { fileType: input });
+  const errors = await validate(instance);
+  expect(errors.length).toBeGreaterThan(0);
+};
+
+describe('normalizeMimeType', () => {
+  it('returns non-strings unchanged', () => {
+    expect(normalizeMimeType(undefined)).toBe(undefined);
+    expect(normalizeMimeType(null)).toBe(null);
+    expect(normalizeMimeType(123)).toBe(123);
+  });
+
+  it('strips parameters, whitespace, and lowercases', () => {
+    expect(normalizeMimeType('application/pdf')).toBe('application/pdf');
+    expect(normalizeMimeType('application/pdf;charset=utf-8')).toBe(
+      'application/pdf',
+    );
+    expect(normalizeMimeType('application/pdf; charset=utf-8')).toBe(
+      'application/pdf',
+    );
+    expect(normalizeMimeType('  application/PDF  ')).toBe('application/pdf');
+    expect(normalizeMimeType('application/pdf\n')).toBe('application/pdf');
+  });
+});
+
+describe('IsMimeTypeField', () => {
+  describe('valid inputs (CS-217 regression)', () => {
+    it('accepts application/pdf', async () => {
+      await expectValid('application/pdf', 'application/pdf');
+    });
+
+    it('accepts the xlsx vendor type', async () => {
+      await expectValid(
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+      );
+    });
+
+    it('accepts application/pdf with charset parameter', async () => {
+      await expectValid(
+        'application/pdf;charset=utf-8',
+        'application/pdf',
+      );
+    });
+
+    it('accepts xlsx with charset parameter', async () => {
+      await expectValid(
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet;charset=utf-8',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+      );
+    });
+
+    it('accepts trailing whitespace', async () => {
+      await expectValid('application/pdf ', 'application/pdf');
+    });
+
+    it('accepts trailing newline', async () => {
+      await expectValid('application/pdf\n', 'application/pdf');
+    });
+
+    it('accepts uppercase', async () => {
+      await expectValid('APPLICATION/PDF', 'application/pdf');
+    });
+
+    it('accepts structured syntax suffix (e.g. +json)', async () => {
+      await expectValid(
+        'application/vnd.api+json',
+        'application/vnd.api+json',
+      );
+    });
+
+    it('accepts image/svg+xml', async () => {
+      await expectValid('image/svg+xml', 'image/svg+xml');
+    });
+  });
+
+  describe('invalid inputs', () => {
+    it('rejects empty string', async () => {
+      await expectInvalid('');
+    });
+
+    it('rejects missing slash', async () => {
+      await expectInvalid('applicationpdf');
+    });
+
+    it('rejects leading slash', async () => {
+      await expectInvalid('/pdf');
+    });
+
+    it('rejects trailing slash', async () => {
+      await expectInvalid('application/');
+    });
+
+    it('rejects spaces inside type/subtype', async () => {
+      await expectInvalid('application /pdf');
+      await expectInvalid('application/ pdf');
+    });
+
+    it('rejects multiple slashes', async () => {
+      await expectInvalid('application/foo/bar');
+    });
+
+    it('rejects non-string values', async () => {
+      await expectInvalid(123);
+      await expectInvalid(null);
+      await expectInvalid(undefined);
+    });
+  });
+});

apps/api/src/utils/mime-type.validator.ts

@@ -0,0 +1,32 @@
+import { applyDecorators } from '@nestjs/common';
+import { Transform } from 'class-transformer';
+import { IsNotEmpty, IsString, Matches } from 'class-validator';
+
+// RFC 6838 restricted-name-chars set (alpha, digit, !, #, $, &, -, ^, _, ., +)
+// First char must be alpha/digit.
+const MIME_TYPE_REGEX =
+  /^[a-z0-9][a-z0-9!#$&^_.+-]*\/[a-z0-9][a-z0-9!#$&^_.+-]*$/i;
+
+/**
+ * Normalize a Content-Type / MIME value to its bare `type/subtype` form:
+ * strips optional `;parameters` (RFC 7231) and surrounding whitespace,
+ * and lowercases the result.
+ */
+export const normalizeMimeType = (value: unknown): unknown => {
+  if (typeof value !== 'string') return value;
+  const bare = value.split(';')[0]?.trim().toLowerCase() ?? '';
+  return bare;
+};
+
+/**
+ * Decorator for DTO fields that accept a file MIME type.
+ * Normalizes the value (strip parameters, trim, lowercase) before validating
+ * it against the RFC 6838 restricted-name-chars grammar.
+ */
+export const IsMimeTypeField = (): PropertyDecorator =>
+  applyDecorators(
+    IsString(),
+    IsNotEmpty(),
+    Transform(({ value }) => normalizeMimeType(value)),
+    Matches(MIME_TYPE_REGEX, { message: 'Invalid MIME type format' }),
+  );