From 5ad3c1058b6d4b34aacdfc06009848d612de325e Mon Sep 17 00:00:00 2001
From: Ari Yeger <yegera1@newpaltz.edu>
Date: Fri, 18 Jul 2025 18:40:52 -0400
Subject: [PATCH] feat: Validate scan link format and update file path handling

---
 client/eslint.config.ts | 7 ++++++-
 server/app.js           | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/client/eslint.config.ts b/client/eslint.config.ts
index 84b2cef..a488e89 100644
--- a/client/eslint.config.ts
+++ b/client/eslint.config.ts
@@ -21,10 +21,15 @@ export default defineConfigWithVueTs(
 
   pluginVue.configs['flat/essential'],
   vueTsConfigs.recommended,
-  
+
   {
     ...pluginVitest.configs.recommended,
     files: ['src/**/__tests__/*'],
   },
   skipFormatting,
+  {
+    rules: {
+      '@typescript-eslint/no-explicit-any': 'off',
+    },
+  }
 )
diff --git a/server/app.js b/server/app.js
index ff27ddc..6dd0644 100644
--- a/server/app.js
+++ b/server/app.js
@@ -116,7 +116,12 @@ app.get('/api/music-scans/download/:id', AuthHandler, async (req, res) => {
   else if (queryResult.length > 1) res.status(500).json({ message: 'Multiple scans found with the same ID' });
   else {
     const scan = queryResult[0];
-    const filePath = path.join(UPLOAD_FOLDER, scan.link);
+    if (!scan.link || !scan.link.endsWith('.pdf')) {
+      res.status(400).json({ message: 'Invalid scan link' });
+      return;
+    }
+    const link = path.join(...(scan.link.split('\\')));
+    const filePath = path.join(UPLOAD_FOLDER, link);
     res.download(filePath, scan.name + '.pdf');
   }
 });