Harden security

core/tests/test_attachment_security.py

@@ -0,0 +1,36 @@
+from django.test import SimpleTestCase, override_settings
+
+from core.security.attachments import (
+    validate_attachment_metadata,
+    validate_attachment_url,
+)
+
+
+class AttachmentSecurityTests(SimpleTestCase):
+    def test_blocks_html_payload(self):
+        with self.assertRaises(ValueError):
+            validate_attachment_metadata(
+                filename="payload.html",
+                content_type="text/html",
+                size=32,
+            )
+
+    @override_settings(ATTACHMENT_MAX_BYTES=10)
+    def test_blocks_oversized_payload(self):
+        with self.assertRaises(ValueError):
+            validate_attachment_metadata(
+                filename="dump.bin",
+                content_type="application/octet-stream",
+                size=32,
+            )
+
+    def test_blocks_private_url_by_default(self):
+        with self.assertRaises(ValueError):
+            validate_attachment_url("http://localhost/internal")
+
+    @override_settings(ATTACHMENT_ALLOW_PRIVATE_URLS=True)
+    def test_allows_private_url_when_explicitly_enabled(self):
+        self.assertEqual(
+            "http://localhost/internal",
+            validate_attachment_url("http://localhost/internal"),
+        )