Security fixes: path traversal, filename injection, input validation, error leakage

[Copilot]

Several security and correctness issues found across the API servers during project review.

screens/images — Path Traversal & Filename Injection

• Replaced all path.includes("..") guards with resolveSafePath() using path.resolve() + prefix check against basePath. The old check is bypassable via encoded sequences, symlinks, or null bytes.
• Added sanitizeFileName() using path.basename() + null-byte stripping on uploaded filenames. A filename like ../../etc/cron.d/evil would previously write outside the upload root.

screens/screenManager — Input Validation & Error Leakage

• PUT /api/screens/:screenId now validates req.body with isDbScreen() before spreading into the Prisma upsert — consistent with how POST /api/screens already handles this.
• /api/screens/resolve was sending `Internal server error: ${error}` to clients. Now logs server-side and returns a generic message.
• Removed redundant res.end() calls after res.send() in /next and /previous handlers.

ranges/merge — Body Parsing & Crash on Malformed Input

• Added missing express.json() middleware. The server had no body parser, so parseInt(req.body) in POST /api/ranges/known/:rangeMac always returned NaN — the endpoint was effectively broken.
• Fixed the parse: parseInt(req.body) → parseInt(req.body?.rangeId).
• Wrapped JSON.parse(handshakeRanges) in try-catch; malformed JSON in the WebSocket handshake query previously threw an uncaught exception.

Original prompt

Please review this project?

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.