fix: fixes response.attachment behaviour leads to Content-Type Sniffing

[yowainwright]

Checklist

Added security-focused tests to verify:

1. Content-Type is preserved when already set
2. Content-Type is still set when not previously defined (backwards compatibility)
3. The fix prevents XSS vulnerabilities with HTML and SVG files

credit "Luca Carettoni of Doyensec LLC" as requested in the advisory.

---

• I have ensured my pull request is not behind the main or master branch of the original repository.
• I have rebased all commits where necessary so that reviewing this pull request can be done without having to merge it first.
• I have written a commit message that passes commitlint linting.
• I have ensured that my code changes pass linting tests.
• I have ensured that my code changes pass unit tests.
• I have described my pull request and the reasons for code changes along with context if necessary.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.90%. Comparing base (1ddb048) to head (53178e6).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1904   +/-   ##
=======================================
  Coverage   99.90%   99.90%           
=======================================
  Files           9        9           
  Lines        2064     2066    +2     
=======================================
+ Hits         2062     2064    +2     
  Misses          2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR fixes a security vulnerability related to Content-Type sniffing in the response.attachment() method by preventing it from overriding an already-set Content-Type header.

• Modified the attachment() method to only set Content-Type when not already present
• Added comprehensive security tests to verify the fix prevents XSS vulnerabilities
• Maintains backward compatibility by still setting Content-Type when not previously defined

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
lib/response.js	Modified attachment method to check for existing Content-Type before setting it
tests/response/attachment.test.js	Added security-focused tests to verify Content-Type preservation and XSS prevention

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[yowainwright]

@fengmk2 sorry about my last pr for the same security issue.

I have 2 other bug fix prs for your review when you have time. 🙏

• feat: fixes mem leak relating to issue-1834 #1893
• chore: adds initial readablestream/response test [1882] #1884

Very small changes with mainly tests that address long standing issues Jon asked me to look at. 🙇

[yowainwright]

@fengmk2 or @3imed-jaberi Do you have a few moments to review this PR and the other linked? 🙇

[samchungy]

Hey @fengmk2, @3imed-jaberi could I trouble you to do a patch release for this one so I can silence my SNYK alarms? 🙏

[fengmk2]

@samchungy sorry for the delay https://github.com/koajs/koa/releases/tag/v3.0.2