fix: remote arbitrary file overwrite on file upload endpoint

Author: stonith404

backend/package.json

@@ -68,6 +68,7 @@
     "@types/qrcode-svg": "^1.1.5",
     "@types/sharp": "^0.32.0",
     "@types/supertest": "^6.0.2",
+    "@types/uuid": "^10.0.0",
     "@typescript-eslint/eslint-plugin": "^8.6.0",
     "@typescript-eslint/parser": "^8.6.0",
     "cross-env": "^7.0.3",

backend/src/file/file.service.ts

@@ -12,6 +12,7 @@ import * as fs from "fs";
 import * as mime from "mime-types";
 import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
+import { validate as isValidUUID } from "uuid";
 import { SHARE_DIRECTORY } from "../constants";
 
 @Injectable()
@@ -28,7 +29,11 @@ export class FileService {
     file: { id?: string; name: string },
     shareId: string,
   ) {
-    if (!file.id) file.id = crypto.randomUUID();
+    if (!file.id) {
+      file.id = crypto.randomUUID();
+    } else if (!isValidUUID(file.id)) {
+      throw new BadRequestException("Invalid file ID format");
+    }
 
     const share = await this.prisma.share.findUnique({
       where: { id: shareId },