fix(datatrak): RN-1715: enforce allowlist of supported file types for Photo questions

[jaskfla]

RN-1715

• No longer possible to select unsupported file types in the system-presented file picker.
• Updates backend handling to be more robust.

Stack

This is PR 1 of 2 in a stack:

1. This PR
2. feat(serverUtils): RN-1715: strip location data from photo uploads, enforce max. size #6514

---

Note

Restricts uploads to specific web-safe image types end-to-end, adds strict base64/content-type validation with 415 errors, and updates the file input to only allow those types.

• Backend (server-utils):
  • S3 uploads: strict Base64 data URI parsing; derive contentType precisely; improved error on invalid data URIs.
  • Enforce allowlist of image types (avif, gif, jpeg/jpg, png, svg+xml, webp); throw UnsupportedMediaTypeError (415) with human-readable list.
  • Simplify path/overwrite handling when naming images.
• Frontend (ui-components):
  • File input now accepts only allowed image types via accept.
  • Minor UX/accessibility tweaks (clear button aria-label, concise size error messages, safer refs/file extraction).
• Utils:
  • Add UnsupportedMediaTypeError (415).

^{Written by Cursor Bugbot for commit 1ac1ade. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello @jaskfla, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the robustness and user experience of image uploads by implementing a comprehensive allowlist for supported image file types. It prevents users from selecting unsupported files at the frontend and ensures that the backend strictly validates and rejects any unsupported media types, improving data integrity and system stability.

Highlights

• Frontend File Type Enforcement: The image upload component now explicitly restricts the file types that can be selected in the browser's file picker to a predefined allowlist of web-safe image formats, improving user experience and preventing invalid uploads.
• Backend Robustness for Image Uploads: The S3 client's image upload logic has been significantly refactored to strictly validate and enforce supported image media types, throwing a specific UnsupportedMediaTypeError for disallowed formats, thus enhancing data integrity.
• New Error Type for Unsupported Media: A dedicated UnsupportedMediaTypeError (HTTP 415) has been introduced to handle cases where an unsupported media type is encountered during processing, providing clearer error handling.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a strict allowlist for image uploads, enhancing security and robustness. The changes are well-implemented across both backend and frontend. On the backend, S3Client.ts is updated to validate image MIME types against a defined list, throwing a new UnsupportedMediaTypeError for invalid types. On the frontend, the ImageUploadField.tsx component now uses the accept attribute to guide users to select supported file types. My review includes a few suggestions to improve maintainability, type safety, and API consistency.

[jaskfla]

The current usage of this actually gets swallowed and rethrown as a 500 Internal Server Error. Not fixing that for now, but I’d like this error to be ready anyway

[rohan-bes]

Yeah I like this call, good to have it in place 👍

[jaskfla]

bugbot run

[rohan-bes]

Looks good! Thanks for cleaning up the code while you're at it 🙏

I was looking around for some unit tests around this but couldn't find any. Any chance you'd be happy to put something basic in place around the S3Client? Seems like we've got a bit of business logic growing in here.

[rohan-bes]

Oooh nice type literal typeguards!!

[rohan-bes]

Yeah I like this call, good to have it in place 👍