update

backend/src/controllers/nextcloud.controller.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import path from 'path';
 import { z } from 'zod';
 import nextcloudService from '../services/nextcloud.service';
 import userService from '../services/user.service';
@@ -216,13 +217,20 @@ class NextcloudController {
         res.status(400).json({ success: false, message: 'Dateipfad fehlt' });
         return;
       }
+      // Path traversal protection
+      const normalized = path.normalize(filePath);
+      if (normalized.includes('..') || !normalized.startsWith('/')) {
+        res.status(400).json({ success: false, message: 'Ungültiger Dateipfad' });
+        return;
+      }
       const response = await nextcloudService.downloadFile(
         filePath,
         credentials.loginName,
         credentials.appPassword,
       );
       const contentType = response.headers['content-type'] ?? 'application/octet-stream';
-      const contentDisposition = response.headers['content-disposition'] ?? `attachment; filename="${req.params.fileId}"`;
+      const contentDisposition = response.headers['content-disposition']
+        ?? `attachment; filename="${String(req.params.fileId).replace(/["\r\n\\]/g, '_')}"`;
       res.setHeader('Content-Type', contentType);
       res.setHeader('Content-Disposition', contentDisposition);
       if (response.headers['content-length']) {