3.1.2.10 Add Content Type checking

omod/pom.xml

@@ -110,6 +110,18 @@
 	    	<version>${javaxVersion}</version>
 	    	<scope>provided</scope>
 	    </dependency>
+
+	    <dependency>
+		    <groupId>org.apache.tika</groupId>
+		    <artifactId>tika-core</artifactId>
+		    <version>2.9.2</version>
+		</dependency>
+
+		<dependency>
+		    <groupId>commons-io</groupId>
+		    <artifactId>commons-io</artifactId>
+		    <version>2.17.0</version>
+		</dependency>
 
 		<!-- End OpenMRS modules -->
 

omod/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource.java

@@ -15,8 +15,13 @@
 import io.swagger.models.properties.DateProperty;
 import io.swagger.models.properties.StringProperty;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.tika.Tika;
+import org.apache.tika.mime.MimeType;
+import org.apache.tika.mime.MimeTypeException;
+import org.apache.tika.mime.MimeTypes;
 import org.openmrs.Encounter;
 import org.openmrs.Obs;
 import org.openmrs.Patient;
@@ -151,6 +156,21 @@ public Object upload(MultipartFile file, RequestContext context) throws Response
 			}
 		}
 
+		// Verify Content Type
+		if (allowedExtensions != null && allowedExtensions.length > 0) {
+			Tika tika = new Tika();
+			String fileType = tika.detect(file.getInputStream());
+			try {
+				MimeType mimeType = MimeTypes.getDefaultMimeTypes().forName(fileType);
+				if (!CollectionUtils.containsAny(mimeType.getExtensions(), Arrays.asList(allowedExtensions))) {
+					throw new IllegalRequestException("The file content type " + fileType + " is not allowed");
+				}
+			}
+			catch (MimeTypeException ex) {
+				throw new APIException("Failed to detect the file content type", ex);
+			}
+		}
+
 		if (visit != null && encounter == null) {
 			encounter = ctx.getAttachmentEncounter(patient, visit, provider);
 		}