[CRITICAL] Security Vulnerability - File Upload Without Validation in Student Registration System

A critical security vulnerability has been identified in a student registration system's document upload feature. The system lacks fundamental security validations, including file type whitelisting, file size limits, and secure file naming conventions. This exposes the system to significant risks, such as malware uploads and path traversal attacks.

The vulnerability is present in the Student Registration Controller, Upload Middleware, and Document Storage components. Evidence from the codebase shows that files are saved with minimal validation, directly using the uploaded file's path without checking its type or size.

To reproduce the issue, one can navigate to the student registration page and attempt to upload files with malicious extensions (e.g., .exe, .php), files exceeding a reasonable size limit (e.g., >10MB), or files with path traversal sequences in their names (e.g., ../../../etc/passwd). The expected behavior would be for the upload to be rejected with a validation error, but the current system may accept and store these files on the server.

The security impact is severe, enabling malicious file uploads (including executables and scripts), path traversal attacks, potential server compromise via uploaded scripts, and storage exhaustion through large file uploads.

A recommended fix involves implementing a secure upload middleware using a library like Multer. The fix should include generating UUID-based filenames to prevent path traversal and implementing a file filter that whitelists only allowed MIME types (e.g., application/pdf, image/jpeg).