Critical Path Traversal Vulnerability Exposed in Document Generation System

A critical path traversal vulnerability has been identified in a document generation and download system, allowing attackers to read and write files outside the designated secure directory. The flaw, discovered during a code review, resides in the handling of user-supplied input for file format and file paths, enabling arbitrary file operations on the server.

The vulnerability is present in the `server/src/routes/documents.ts` file. In the document generation endpoint, the `format` field from the request body is used unsanitized to construct a filename. An attacker can inject directory traversal sequences (e.g., `../`) into this field, causing the system to write files to arbitrary locations, such as `/tmp/evil`. Similarly, the download endpoint uses a `filePath` value from the database without validation before joining it with the base directory, potentially allowing an attacker to read any file the server process can access if the stored path is tainted.

This security failure maps directly to OWASP 2025 categories A05 (Injection) and A08 (Data Integrity). The proposed fix involves implementing strict input validation, including an allowlist for the `format` field (e.g., only `['pdf', 'docx']`) and, crucially, asserting that the final resolved file path remains strictly within the intended `GENERATED_DIR` boundary after the `path.join` operation. This type of vulnerability is a classic yet dangerous oversight that can lead to full server compromise.