FinSpark API Exposed: Path Traversal Flaw Lets Attackers Write to Server Filesystem

A critical path traversal vulnerability in the FinSpark API allows attackers to write arbitrary files anywhere on the server filesystem. The flaw is in the document upload endpoint, where the system blindly trusts the `file.filename` provided by the client. By submitting a filename like `../../etc/cron.d/backdoor`, an attacker can escape the designated upload directory and place malicious files in sensitive system locations, potentially leading to remote code execution.

The vulnerability is located in `src/finspark/api/routes/documents.py` at line 51, where the file path is constructed as `upload_dir / file.filename` without any sanitization. This is compounded by a complete absence of other standard security controls: there is no enforcement of the configured 50MB file size limit, no validation of file content via magic bytes, and no verification of the declared content-type. This means an attacker could also upload executable files disguised with a `.docx` extension.

The recommended fixes are straightforward but critical: sanitize filenames using `PurePosixPath(filename).name` or generate UUID-based names, verify the resolved path remains within the upload directory, enforce size limits before saving, and validate magic bytes against the file extension. The presence of these multiple, basic security oversights in a single endpoint signals a significant lapse in secure development practices for the FinSpark platform.