Fixing issues 231 (token visible) and 232 (oauth secret and zip file paths)

[abesnier]

Security Hardening

Summary

This PR addresses three security concerns in gohttpserver: preventing Zip Slip directory traversal attacks, securing session management, and removing sensitive auth info from API responses.

Changes

Zip Slip protection in unzipFile (zip.go)

• Resolves the destination path to an absolute path before extraction.
• Validates that each extracted file's resolved path stays within the intended destination directory, preventing directory traversal via crafted zip archives.

Secure session secret management (openid-login.go)

• Replaces the hardcoded "something-very-secret" session secret with a configurable GHS_SESSION_SECRET environment variable.
• Falls back to a cryptographically random 32-byte key when the env var is not set, with a warning that sessions won't survive restarts.

Remove auth info from JSON response (httpstaticserver.go)

• Removes the auth field from the ?json=true API response to prevent .ghs.yml configuration details (including access control rules) from being exposed to unauthenticated users.
• Ref: Critical security issue with upload token which allows unathorized file uploads #231

Files Changed

File	Change
zip.go	Added Zip Slip path validation
openid-login.go	Refactored session secret to use env var / random key
httpstaticserver.go	Commented out auth field in JSON response