fix: sanitize dzuuid to prevent path traversal in /uploadCase (#254)

[Cypher-CP0]

Linked issue

• Closes [Bug] Path traversal vulnerability in /uploadCase due to unsanitized dzuuid #254
• Related Fix path traversal vulnerability by validating dzuuid and chunk param… #256

Existing related work reviewed

• Issues/PRs reviewed: Fix path traversal vulnerability by validating dzuuid and chunk param… #256 (Fix path traversal vulnerability by validating dzuuid), [security]: uploading a malicious ZIP can overwrite local project files (Zip Slip) #321 (Zip Slip vulnerability)
• If none found, write: None found after search

Overlap assessment

• Classification: Complementary
• Overlapping items: Fix path traversal vulnerability by validating dzuuid and chunk param… #256 also addresses dzuuid sanitization in /uploadCase
• Why this is not duplicate/superseded: Fix path traversal vulnerability by validating dzuuid and chunk param… #256 appears to have been closed/merged but the
  sanitize_uuid() helper function and the ValueError catch in the except block were not
  present in the current main branch code, leaving the path traversal vector still open.
  This PR completes the fix with explicit input validation before any path construction occurs.

Why this PR should proceed

• The vulnerability (CWE-22) is still reproducible on the current main branch — a crafted
  dzuuid value like ../../../../etc passes through to Path("_chunks", dz_uuid) and
  subsequently to shutil.rmtree() without rejection
• The fix is minimal, non-breaking, and backward-compatible — all valid Dropzone-generated
  UUIDs (e.g. a1b2c3d4-e5f6-...) match the allowed pattern [a-zA-Z0-9_\-]{1,64}
• Returns a clean HTTP 400 for invalid input rather than leaking internal error details

Summary

• What changed: Added sanitize_uuid() helper in API/Routes/Upload/UploadRoute.py that
  validates dzuuid against a strict [a-zA-Z0-9_\-]{1,64} regex before it is used to
  construct any filesystem path. Moved the sanitization call to run immediately after
  retrieving dzuuid from the request form, before Path("_chunks", dz_uuid) is constructed.
  Updated the except block to catch ValueError alongside PermissionError and return HTTP
  400 with a safe generic error message.

[SeaCelo]

Thanks for this. We're prioritizing other work right now, so converting this to draft for the time being. We'll revisit when we're ready to pick these up.