Potential fix for code scanning alert no. 9: Uncontrolled data used in path expression

[jesusmpc]

Potential fix for https://github.com/InditexTech/weavejs-backend/security/code-scanning/9

To fix the issue, ensure that any file path created from user input (here, roomId and imageId) is strictly contained within the intended directory, temp, under the current working directory. After constructing the file path, normalize it with path.resolve() and, optionally, fs.realpathSync() to resolve symlinks. Check that the resolved path starts with the base temp folder path. If it does not, return a 400 error and skip further processing. This must be applied before writing or deleting files (saveBase64ToFile, fs.rmSync), on every code path beginning at line 41 (where the path is first constructed).

Implementation steps:

1. Define a const baseTempDir = path.join(process.cwd(), "temp") at the top of the controller.
2. When creating filePath, use path.resolve(baseTempDir, fileName).
3. After resolving, check if filePath starts with baseTempDir.
4. If not, return a 400 error and do not proceed.
5. Use filePath as before only after this validation.
   No new dependencies are needed beyond Node’s built-in path and fs modules.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud