Merge commit from fork

fix: path traversal vuln

Author: abiteman

server.js

@@ -234,6 +234,8 @@ const uploads = new Map();
 // Routes
 app.post('/upload/init', async (req, res) => {
     const { filename, fileSize } = req.body;
+
+    const safeFilename = path.normalize(filename).replace(/^(\.\.(\/|\\|$))+/, '')
 
     // Check file size limit
     if (fileSize > maxFileSize) {
@@ -246,20 +248,20 @@ app.post('/upload/init', async (req, res) => {
     }
 
     const uploadId = Date.now().toString();
-    const filePath = path.join(uploadDir, filename);
+    const filePath = path.join(uploadDir, safeFilename);
 
     try {
         await ensureDirectoryExists(filePath);
 
         uploads.set(uploadId, {
-            filename,
+            safeFilename,
             filePath,
             fileSize,
             bytesReceived: 0,
             writeStream: fs.createWriteStream(filePath)
         });
 
-        log.info(`Initialized upload for ${filename} (${fileSize} bytes)`);
+        log.info(`Initialized upload for ${safeFilename} (${fileSize} bytes)`);
         res.json({ uploadId });
     } catch (err) {
         log.error(`Failed to initialize upload: ${err.message}`);