fix: execute sandboxed file ops inside containers (#4026)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 795ec6aa2f
Co-authored-by: davidbors-snyk <240482518+davidbors-snyk@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete

src/web/media.test.ts

@@ -29,6 +29,22 @@ function buildDeterministicBytes(length: number): Buffer {
   return buffer;
 }
 
+async function createLargeTestJpeg(): Promise<{ buffer: Buffer; file: string }> {
+  const buffer = await sharp({
+    create: {
+      width: 1600,
+      height: 1600,
+      channels: 3,
+      background: "#ff0000",
+    },
+  })
+    .jpeg({ quality: 95 })
+    .toBuffer();
+
+  const file = await writeTempFile(buffer, ".jpg");
+  return { buffer, file };
+}
+
 afterEach(async () => {
   await Promise.all(tmpFiles.map((file) => fs.rm(file, { force: true })));
   tmpFiles.length = 0;
@@ -70,6 +86,25 @@ describe("web media loading", () => {
     expect(result.buffer.length).toBeLessThan(buffer.length);
   });
 
+  it("optimizes images when options object omits optimizeImages", async () => {
+    const { buffer, file } = await createLargeTestJpeg();
+    const cap = Math.max(1, Math.floor(buffer.length * 0.8));
+
+    const result = await loadWebMedia(file, { maxBytes: cap });
+
+    expect(result.buffer.length).toBeLessThanOrEqual(cap);
+    expect(result.buffer.length).toBeLessThan(buffer.length);
+  });
+
+  it("allows callers to disable optimization via options object", async () => {
+    const { buffer, file } = await createLargeTestJpeg();
+    const cap = Math.max(1, Math.floor(buffer.length * 0.8));
+
+    await expect(loadWebMedia(file, { maxBytes: cap, optimizeImages: false })).rejects.toThrow(
+      /Media exceeds/i,
+    );
+  });
+
   it("sniffs mime before extension when loading local files", async () => {
     const pngBuffer = await sharp({
       create: { width: 2, height: 2, channels: 3, background: "#00ff00" },