fix(security): centralize data path validation in getServerDataPath; enforce segment whitelist and resolved-path check

server/utils/paths.js

@@ -28,5 +28,21 @@ export function getProjectPath(...segments) {
 }
 
 export function getServerDataPath(...segments) {
-  return getProjectPath('server', 'data', ...segments)
+  // Validate segments: only allow simple filenames/dirnames (no path separators)
+  const SEGMENT_RE = /^[a-zA-Z0-9._-]+$/
+  for (const s of segments) {
+    if (!SEGMENT_RE.test(String(s || ''))) {
+      throw new Error(`Invalid data path segment: ${String(s)}`)
+    }
+  }
+
+  const dataDir = getProjectPath('server', 'data')
+  const candidate = path.join(dataDir, ...segments)
+  const resolved = path.resolve(candidate)
+  const resolvedDataDir = path.resolve(dataDir)
+  if (!resolved.startsWith(resolvedDataDir + path.sep) && resolved !== resolvedDataDir) {
+    throw new Error('Resolved data path is outside server/data')
+  }
+
+  return resolved
 }