feat: allow image + PDF document uploads through validator#199
Open
americodias wants to merge 1 commit intoRichardAtCT:mainfrom
Open
feat: allow image + PDF document uploads through validator#199americodias wants to merge 1 commit intoRichardAtCT:mainfrom
americodias wants to merge 1 commit intoRichardAtCT:mainfrom
Conversation
Upstream's SecurityValidator.ALLOWED_EXTENSIONS only permits source-code file extensions, so any photo or PDF sent as a Telegram document (rather than via the native photo handler) is rejected at validation time — before the bot can even archive or inspect it. Adds the common attachment formats: .png .jpg .jpeg .gif .webp .heic .heif .bmp .tiff .tif .pdf. Photos sent as Telegram photos still flow through the dedicated image_handler.py path, which uses native multimodal SDK content blocks; this allowlist covers the case where the user attaches an image as a generic document. Dangerous patterns (.exe / .key / .pem / etc.) remain blocked via DANGEROUS_FILE_PATTERNS — they take precedence over the allowlist.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SecurityValidator.ALLOWED_EXTENSIONScurrently permits only source-code file extensions (.py,.js,.md, etc.), so any photo or PDF sent as a Telegram document (rather than via the native photo handler) is rejected at validation time — beforeFileHandlercan inspect it. This PR adds the common attachment formats so document uploads work end-to-end.Why
Telegram delivers media in two ways:
agentic_photo→image_handler.py→ SDK content blocks (multimodal). Already works.agentic_document→validate_filename→FileHandler.handle_document_upload. Currently fails on the validator step for binary formats because.pdf,.png,.jpg, etc. aren't in the allowlist.Path 2 hits often: users sending PDFs, image attachments from email/web, screenshots saved as files instead of pasted, scanned documents. Today they all bounce with
File type not allowed: .pdf.This is also a prerequisite for any feature that expects to consume PDFs/images via the document pathway (e.g. PR #193's unified FileHandler branch).
What
Adds image + PDF formats to
ALLOWED_EXTENSIONS:Compatibility
DANGEROUS_FILE_PATTERNS(.exe,.key,.pem,.dll,.so,.dylib, etc.) remains the deny-list and is checked before the allowlist, so dangerous extensions stay blocked.max_sizeinagentic_document) still applies.Test plan
.pdfdocument — bot accepts (passes validator), routes toFileHandler.pngas a document — bot accepts.exe— bot still rejects (dangerous pattern takes precedence).key— bot still rejects.heic(iPhone photos sent as documents) — bot acceptsNotes
This is the minimal fix to unblock binary document uploads. What
FileHandleractually does with a binary file is a separate concern — that's where #193 picks up. This PR just makes the validator stop being the wall.