fix(security): harden season file paths for semgrep

server/utils/spielklassen-tables-import.js

@@ -1,5 +1,4 @@
 import { promises as fs } from 'fs'
-import path from 'path'
 import { getServerDataPath, getProjectPath } from './paths.js'
 import { getSpieljahrForDate } from './spielplan-import.js'
 import { parseDelimitedLine } from './spielplan-data.js'
@@ -132,6 +131,11 @@ function extractSeasonSlugFromUrl(url) {
   return match?.[1] || null
 }
 
+function sanitizeSeasonSlug(value) {
+  const seasonSlug = String(value || '').trim()
+  return /^\d{2}--\d{2}$/.test(seasonSlug) ? seasonSlug : null
+}
+
 async function resolveMannschaftenCsvPath() {
   const candidates = [
     getServerDataPath('public-data', 'mannschaften.csv'),
@@ -226,8 +230,8 @@ export async function importLeagueTables(options = {}) {
   }
 
   const fallbackSeasonSlug = teams.length > 0 ? extractSeasonSlugFromUrl(teams[0].tableUrl) : null
-  const seasonSlug = fallbackSeasonSlug || season.seasonSlug
-  const outputFile = path.join(OUTPUT_DIR, `tables_${seasonSlug}.json`)
+  const seasonSlug = sanitizeSeasonSlug(fallbackSeasonSlug) || sanitizeSeasonSlug(season.seasonSlug) || getSpieljahrForDate(today).seasonSlug
+  const outputFile = `${OUTPUT_DIR}/tables_${seasonSlug}.json`
 
   const payload = {
     format: 'harheimertc.tables.v1',