38 lines
1.2 KiB
Python
38 lines
1.2 KiB
Python
from django.test import SimpleTestCase, override_settings
|
|
|
|
from core.security.attachments import (
|
|
validate_attachment_metadata,
|
|
validate_attachment_url,
|
|
)
|
|
|
|
|
|
class AttachmentSecurityTests(SimpleTestCase):
|
|
def test_blocks_html_payload(self):
|
|
with self.assertRaises(ValueError):
|
|
validate_attachment_metadata(
|
|
filename="payload.html",
|
|
content_type="text/html",
|
|
size=32,
|
|
)
|
|
|
|
@override_settings(ATTACHMENT_MAX_BYTES=10)
|
|
def test_blocks_oversized_payload(self):
|
|
with self.assertRaises(ValueError):
|
|
validate_attachment_metadata(
|
|
filename="dump.bin",
|
|
content_type="application/octet-stream",
|
|
size=32,
|
|
)
|
|
|
|
@override_settings(ATTACHMENT_ALLOW_PRIVATE_URLS=False)
|
|
def test_blocks_private_url_by_default(self):
|
|
with self.assertRaises(ValueError):
|
|
validate_attachment_url("http://localhost/internal")
|
|
|
|
@override_settings(ATTACHMENT_ALLOW_PRIVATE_URLS=True)
|
|
def test_allows_private_url_when_explicitly_enabled(self):
|
|
self.assertEqual(
|
|
"http://localhost/internal",
|
|
validate_attachment_url("http://localhost/internal"),
|
|
)
|