fix: add file upload validation to prevent arbitrary file upload vulnerability

[lexburner]

📝 Description

• Add FileUploadValidator utility class with extension whitelist (27 allowed formats: images, documents, audio, video, zip), MIME type consistency validation, and filename sanitization
• Integrate upload validation into ChatAttachmentServiceImpl.uploadAttachment() to reject disallowed file types before storage
• Sanitize stored filenames to remove path traversal sequences, null bytes, and control characters

This fixes the arbitrary file upload vulnerability on POST /attachments where attackers could upload malicious scripts (e.g., .jsp, .asp, .php, .aspx) without any server-side file type restriction.

🔗 Related Issues

N/A

✅ Type of Change

• Bug fix (non-breaking change)
• New feature (non-breaking change)
• Breaking change
• Documentation update
• Code refactoring
• Performance improvement

🧪 Testing

• Unit tests pass locally (mvn test)
• Build passes (mvn clean package -DskipTests)
• Code formatted (mvn spotless:apply)
• Uploading files with disallowed extensions (e.g., .jsp, .php, .exe) returns INVALID_REQUEST error
• Uploading files with allowed extensions (e.g., .jpg, .pdf, .csv) works as before
• Uploading files with mismatched MIME type and extension returns INVALID_REQUEST error
• Filenames with path traversal (e.g., ../../etc/passwd) are sanitized before storage

📋 Checklist

• Code has been formatted (mvn spotless:apply for backend)
• Code is self-reviewed
• No breaking changes
• All CI checks pass