fix: tighten rename and node routing request validation

[lovehunter9]

Summary

• posix.Rename src path: drop the redundant url.PathUnescape on srcName. Hertz already percent-decodes the URL path once; running net/url's strict decoder a second time rejects legitimate filenames containing % (e.g. renaming 12%3.zip failed with invalid URL escape "%3."). The query-side dstName decode is left intact since the existing front-end → back-end contract relies on it.
• :node route segment: introduce a single bizhandler.NodeGuard() middleware (one shared helper in pkg/hertz/biz/handler/utils.go) and wire it into every :node placeholder in archive, paste, task, external, videos, and upload routes. Requests whose :node is neither the local NODE_NAME nor a node ever seen in the cluster are rejected with 400 invalid node. Previously any string was accepted (e.g. /api/archive/sdsdsd/entries would happily run).

Notes

• global.GlobalNode.Nodes is an additive set (only-grows, never shrinks within a process), so any node that has ever been listed by the cluster — including the local node and previously-seen peers — continues to pass. There is no impact on legitimate single-node or multi-node traffic.
• Internal share-proxy callers already use global.CurrentNodeName / GetMasterNode(), both of which satisfy the guard.

Test plan

• Rename a file whose name contains % (e.g. 12%3.zip → 123.zip) and back; both succeed.
• Rename to a name with %; succeeds (existing query-side path unchanged).
• GET /api/archive/<NODE_NAME>/entries?source=… → works as before.
• GET /api/archive/sdsdsd/entries?source=… → 400 {"error":"invalid node"}.
• CLI with --node set to a real node name → unchanged behaviour for compress / extract / paste / task / mount / smb_history / videos / upload.
• CLI with --node set to an arbitrary string → 400 invalid node.

Made with Cursor