Attachments
Security & Limits
Network and filesystem safeguards, MIME allow-lists, and configurable limits
Network Safety (SSRF)
- 1Absolute HTTP(S) only
Rejects non-HTTP schemes and relative URLs. Host must resolve and cannot be private/loopback/link‑local when strict.
- 2Strict mode
ATTACHMENTS_SSRF_STRICT=1or config turns on strict blocking even during tests. - 3Redirect cap
Follows up to
max_redirects.
Filesystem Safety
- 1CWD confinement
Paths are resolved against the task CWD; attempts to escape (including via symlinks) are denied.
- 2Regular files only
Non‑regular files are rejected.
MIME Policies
Per‑type allow‑lists gate what content is accepted after detection from initial bytes. Empty lists fall back to type heuristics.
attachments:
allowed_mime_types:
image: ["image/*"]
audio: ["audio/*"]
video: ["video/*"]
pdf: ["application/pdf"]Global Limits & Settings
| Setting | Description | Env Var | Default |
|---|---|---|---|
attachments.max_download_size_bytes | Cap per download and binary part size | ATTACHMENTS_MAX_DOWNLOAD_SIZE_BYTES | 10_000_000 |
attachments.download_timeout | Timeout for a single remote fetch | ATTACHMENTS_DOWNLOAD_TIMEOUT | 30s |
attachments.max_redirects | Max HTTP redirects to follow | ATTACHMENTS_MAX_REDIRECTS | 3 |
attachments.mime_head_max_bytes | Bytes used for MIME detection | ATTACHMENTS_MIME_HEAD_MAX_BYTES | 512 |
attachments.text_part_max_bytes | Text bytes loaded from files | ATTACHMENTS_TEXT_PART_MAX_BYTES | 5_242_880 |
attachments.pdf_extract_max_chars | Max characters extracted from PDFs | ATTACHMENTS_PDF_EXTRACT_MAX_CHARS | 1_000_000 |
attachments.http_user_agent | User‑Agent header for downloads | ATTACHMENTS_HTTP_USER_AGENT | Compozy/1.0 |
attachments.allowed_mime_types.* | Per‑type allow‑lists | ATTACHMENTS_ALLOWED_MIME_TYPES_* | See above |
attachments.ssrf_strict | Block local/loopback even in tests | ATTACHMENTS_SSRF_STRICT | false |