fix: tighten file permissions and phone length validation

- Attachment directories: 0750 instead of 0755
- Attachment files: 0600 instead of 0644
- Phone number max length: 15 digits (E.164 limit) to prevent
  data pollution from crafted WhatsApp DBs

Author: eddowding

internal/whatsapp/importer.go

@@ -512,7 +512,7 @@ func (imp *Importer) handleMediaFile(media waMedia, opts ImportOptions) (string,
 
 	// Create directory and stream-copy the file.
 	absStorageDir := filepath.Dir(absStoragePath)
-	if err := os.MkdirAll(absStorageDir, 0755); err != nil {
+	if err := os.MkdirAll(absStorageDir, 0750); err != nil {
 		return "", contentHash
 	}
 
@@ -521,7 +521,7 @@ func (imp *Importer) handleMediaFile(media waMedia, opts ImportOptions) (string,
 		return "", contentHash
 	}
 
-	dst, err := os.OpenFile(absStoragePath, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0644)
+	dst, err := os.OpenFile(absStoragePath, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0600)
 	if err != nil {
 		if os.IsExist(err) {
 			// Race: another goroutine already wrote it.

internal/whatsapp/mapping.go

@@ -143,8 +143,9 @@ func normalizePhone(user, server string) string {
 		}
 	}
 
-	// Must be at least a few digits to be a plausible phone number.
-	if len(user) < 4 {
+	// Must be at least a few digits to be a plausible phone number,
+	// and no more than 15 (E.164 max) to prevent data pollution.
+	if len(user) < 4 || len(user) > 15 {
 		return ""
 	}