Security: Strengthen path traversal validation in PDF preview endpoint

[cbcoutinho]

Problem

The path traversal check in visualization.py:709 only checks for ".." in the file path:

if ".." in file_path:
    return JSONResponse({"success": False, "error": "Invalid file path"}, status_code=400)

This can be bypassed with:

• URL encoding (e.g., %2e%2e)
• Double encoding
• Unicode variations

While WebDAV may normalize paths, defense-in-depth is important.

Recommendation

Use Python's pathlib to resolve and validate paths:

from pathlib import Path

# Normalize and check for traversal
try:
    # Remove leading slash for Path() to work correctly
    normalized_path = Path(file_path.lstrip('/'))
    # Check if '..' appears in any path components after normalization
    if '..' in normalized_path.parts:
        return JSONResponse({"success": False, "error": "Invalid file path"}, status_code=400)
except (ValueError, OSError):
    return JSONResponse({"success": False, "error": "Invalid file path"}, status_code=400)

Location

• nextcloud_mcp_server/api/visualization.py:709

Priority

Critical - Security issue, must fix before merge

Parent Issue

Part of #502