From c57911126bba75339def6f8d7d40fe70775efc9e Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sun, 10 May 2026 21:05:34 +0000
Subject: [PATCH 1/2] refactor: simplify validateContentType by stripping
 media-type params before comparison

Replace 14 equality + StartsWith checks with a single IndexOf(';') split
followed by 7 bare-type equality checks.  The behaviour is identical because
'application/json;charset=utf-8'.StartsWith 'application/json;' is equivalent
to splitting at ';' and comparing the base type 'application/json'.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/SwaggerProvider.DesignTime/Utils.fs | 34 ++++++++++++-------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/src/SwaggerProvider.DesignTime/Utils.fs b/src/SwaggerProvider.DesignTime/Utils.fs
index 1e871021..ac5f7d6b 100644
--- a/src/SwaggerProvider.DesignTime/Utils.fs
+++ b/src/SwaggerProvider.DesignTime/Utils.fs
@@ -139,28 +139,26 @@ module SchemaReader =
         else
             let mediaType = contentType.MediaType.ToLowerInvariant()
 
+            // Strip any parameters (e.g. "; charset=utf-8") to get the bare media type for comparison.
+            let baseMediaType =
+                let idx = mediaType.IndexOf(';')
+
+                if idx >= 0 then
+                    mediaType.Substring(0, idx).TrimEnd()
+                else
+                    mediaType
+
             // Allow only Content-Types that are valid for OpenAPI/Swagger schema files
             // This prevents SSRF attacks where an attacker tries to make the provider
             // fetch and process non-schema files (HTML, images, binaries, etc.)
             let isValidSchemaContentType =
-                // JSON formats
-                mediaType = "application/json"
-                || mediaType.StartsWith "application/json;"
-                // YAML formats
-                || mediaType = "application/yaml"
-                || mediaType = "application/x-yaml"
-                || mediaType = "text/yaml"
-                || mediaType = "text/x-yaml"
-                || mediaType.StartsWith "application/yaml;"
-                || mediaType.StartsWith "application/x-yaml;"
-                || mediaType.StartsWith "text/yaml;"
-                || mediaType.StartsWith "text/x-yaml;"
-                // Plain text (sometimes used for YAML)
-                || mediaType = "text/plain"
-                || mediaType.StartsWith "text/plain;"
-                // Generic binary (fallback for misconfigured servers)
-                || mediaType = "application/octet-stream"
-                || mediaType.StartsWith "application/octet-stream;"
+                baseMediaType = "application/json"
+                || baseMediaType = "application/yaml"
+                || baseMediaType = "application/x-yaml"
+                || baseMediaType = "text/yaml"
+                || baseMediaType = "text/x-yaml"
+                || baseMediaType = "text/plain"
+                || baseMediaType = "application/octet-stream"
 
             if not isValidSchemaContentType then
                 failwithf

From c14543d87a69fc240f0a97c42aaf3bc83967b8fb Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sun, 10 May 2026 21:05:37 +0000
Subject: [PATCH 2/2] ci: trigger checks