test: add backend security regression test foundation

Job tracker.sln

@@ -1,19 +1,46 @@
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.5.2.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "JobTrackerApi", "JobTrackerApi\JobTrackerApi.csproj", "{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "JobTrackerApi.Tests", "JobTrackerApi.Tests\JobTrackerApi.Tests.csproj", "{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
 		Release|Any CPU = Release|Any CPU
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Debug|x64.Build.0 = Debug|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Debug|x86.Build.0 = Debug|Any CPU
 		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Release|x64.ActiveCfg = Release|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Release|x64.Build.0 = Release|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Release|x86.ActiveCfg = Release|Any CPU
+		{C5DB7EBB-7221-0C11-4A27-A9C4AB5BE51D}.Release|x86.Build.0 = Release|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Debug|x64.Build.0 = Debug|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Debug|x86.Build.0 = Debug|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Release|x64.ActiveCfg = Release|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Release|x64.Build.0 = Release|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Release|x86.ActiveCfg = Release|Any CPU
+		{4AA1218D-B33E-4E8B-8C46-EB85A5FE615C}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

JobTrackerApi.Tests/AttachmentsControllerTests.cs

@@ -0,0 +1,23 @@
+using System.Reflection;
+using JobTrackerApi.Controllers;
+using Xunit;
+
+namespace JobTrackerApi.Tests;
+
+public sealed class AttachmentsControllerTests
+{
+    [Fact]
+    public void Allowed_extensions_include_common_document_and_image_formats()
+    {
+        var field = typeof(AttachmentsController).GetField("AllowedExtensions", BindingFlags.NonPublic | BindingFlags.Static);
+        Assert.NotNull(field);
+
+        var allowed = Assert.IsAssignableFrom<System.Collections.IEnumerable>(field!.GetValue(null));
+        var values = allowed.Cast<string>().ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+        Assert.Contains(".pdf", values);
+        Assert.Contains(".docx", values);
+        Assert.Contains(".png", values);
+        Assert.DoesNotContain(".exe", values);
+    }
+}

JobTrackerApi.Tests/JobTrackerApi.Tests.csproj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageReference Include="xunit" Version="2.9.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\JobTrackerApi\JobTrackerApi.csproj" />
+  </ItemGroup>
+</Project>

JobTrackerApi.Tests/OwnershipGuardTests.cs

@@ -0,0 +1,22 @@
+using System.Reflection;
+using JobTrackerApi.Controllers;
+using Xunit;
+
+namespace JobTrackerApi.Tests;
+
+public sealed class OwnershipGuardTests
+{
+    [Fact]
+    public void Attachments_controller_has_owned_attachment_lookup_helper()
+    {
+        var method = typeof(AttachmentsController).GetMethod("FindOwnedAttachmentAsync", BindingFlags.NonPublic | BindingFlags.Instance);
+        Assert.NotNull(method);
+    }
+
+    [Fact]
+    public void Correspondence_controller_has_owned_message_lookup_helper()
+    {
+        var method = typeof(CorrespondenceController).GetMethod("FindOwnedMessageAsync", BindingFlags.NonPublic | BindingFlags.Instance);
+        Assert.NotNull(method);
+    }
+}