Fix security vulnerabilities, register missing blueprint, and clean up codebase issues

[Copilot]

Repository audit identified security vulnerabilities in archive extraction, missing blueprint registration, and various code quality issues.

Security Fixes

• Path traversal in compression service: Archive extraction (zip, tar, 7z) now validates all member paths before extraction
  • Rejects absolute paths and .. references
  • Uses tarfile.extractall(filter='data') on Python 3.11.4+
• Input validation in rename_file: Now uses Validators.is_valid_filename() and sanitize_filename()
• SECRET_KEY: Reads from env var; emits RuntimeWarning when falling back to random key

# Path traversal protection example
@staticmethod
def _safe_extract_member(archive_path, member_name, extract_to):
    if Path(member_name).is_absolute():
        raise ValueError(f"Absolute path in archive is not allowed: {member_name}")
    if '..' in Path(member_name).parts:
        raise ValueError(f"Path traversal attempt detected: {member_name}")

Bug Fixes

• Register missing compression_bp blueprint in app.py
• Remove unused datetime import
• Fix stray </form> tags in dashboard.html
• Fix file_management.js location (was nested in js/app.js/ directory)

Cleanup

• Remove empty auth.js file
• Remove duplicate READMED.md (typo)
• Replace hardcoded paths in start.sh scripts with SCRIPT_DIR
• Add missing aria-pressed attribute on grid-view button

Original prompt

find minor/mid/hard issues in this repo find issues create plan then exute plan in perfect order then recheck the mistakes if find any to the steps again like : find minor/mid/hard issues -> find issues -> create plan -> exute plan in perfect order

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR addresses security vulnerabilities in archive extraction, adds missing blueprint registration, and cleans up various code quality issues. The changes focus on preventing path traversal attacks, improving input validation, and fixing HTML/JavaScript issues.

Changes:

• Added path traversal protection to compression service for zip, tar, and 7z extraction
• Implemented input validation and sanitization for file renaming operations
• Registered missing compression_bp blueprint in app.py
• Fixed shell scripts to use dynamic SCRIPT_DIR instead of hardcoded paths
• Removed duplicate READMED.md file and empty auth.js file
• Added missing aria attributes and removed stray form tags in dashboard.html

Reviewed changes

Copilot reviewed 8 out of 10 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
FileFlow/backend/services/compression_service.py	Added security validation methods to prevent path traversal in archive extraction
FileFlow/backend/api/files.py	Added filename validation and sanitization to rename_file endpoint
FileFlow/backend/config.py	Updated SECRET_KEY to read from environment variable with warning for fallback
FileFlow/backend/app.py	Registered compression_bp blueprint and removed unused datetime import
FileFlow/frontend/js/file_management.js	Moved file from incorrect nested directory to proper location
FileFlow/frontend/templates/dashboard.html	Removed stray closing form tags and added aria attributes for accessibility
FileFlow/start.sh	Updated to use dynamic SCRIPT_DIR instead of hardcoded workspace path
start.sh	Updated to use dynamic SCRIPT_DIR for better portability
READMED.md	Removed duplicate file with typo in name
FileFlow/frontend/js/app.js/auth.js	Removed empty file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The calls to _safe_extract_member pass archive_path as the first parameter, but this parameter is unused in the function. All three extraction methods (extract_zip, extract_tar, extract_7z) should be updated to remove this unnecessary parameter.

[Copilot]

The comment states "Normalize target without fully resolving to prevent symlink attacks" but the code then calls .resolve() on the full path on line 18, which does resolve symlinks. This creates a contradiction between the comment and the implementation. Either the comment should be updated to reflect that symlinks are resolved, or the implementation should be changed to avoid resolving symlinks (though resolving is actually the safer approach).

Suggested change

	Note: This validates the path string without resolving symlinks to prevent
	symlink-based attacks. The check uses string comparison after normalization.
	"""
	try:
	base = Path(base_path).resolve()
	# Normalize target without fully resolving to prevent symlink attacks
	# Join base with target and check if it stays within base
	Note: This resolves both the base path and the combined target path to
	absolute, symlink-resolved paths and then verifies the target remains
	within the base directory.
	"""
	try:
	base = Path(base_path).resolve()
	# Resolve the combined path and ensure it stays within the resolved base

[Copilot]

The SECRET_KEY is regenerated on every restart when not set via environment variable, which will invalidate all existing user sessions. While the warning message mentions this, the implementation stores the random key in a class variable that persists for the app lifetime but is lost on restart. Consider using a persistent fallback (like storing in a file) for development environments, or make the warning more prominent to ensure production deployments always set the environment variable.

[Copilot]

The exception handler on line 20 catches ValueError and RuntimeError but not AttributeError, which will be raised on Python versions before 3.9 when calling is_relative_to(). This method was only added in Python 3.9. The exception tuple should include AttributeError to handle older Python versions gracefully: except (ValueError, RuntimeError, AttributeError):

Suggested change

	except (ValueError, RuntimeError):
	except (ValueError, RuntimeError, AttributeError):

[Copilot]

The first parameter archive_path is not used in the function body. This parameter should be removed from the function signature as it serves no purpose in the validation logic.

[Copilot]

The is_relative_to() method was added in Python 3.9. For compatibility with earlier Python versions, this will raise an AttributeError. Consider adding a compatibility check or documenting the minimum Python version requirement in requirements.txt or README.

Suggested change

	return full_path.is_relative_to(base)
	try:
	# If full_path is not within base, this will raise ValueError
	full_path.relative_to(base)
	return True
	except ValueError:
	return False