fix(security): resolve Snyk Code findings — Tar Slip, Path Traversal, Open Redirect, XSS

Tar Slip (CWE-22) — 3 import services:
  threat_actor, lolbas, caldera: add path validation before extractall()
  to prevent malicious zip members with ../ escaping the target directory.
  (sigma, elastic, atomic already had this protection)

Path Traversal (CWE-23) — professional_reports.py:
  Add _assert_safe_report_path() check on all 5 report endpoints to
  verify the generated filepath stays within REPORT_OUTPUT_DIR.

Open Redirect (CWE-601) — sso.py:
  Validate IdP redirect URL scheme (must be http/https) before
  issuing RedirectResponse, blocking javascript: and data: redirects.

DOM XSS (CWE-79) — 4 frontend pages:
  Create src/utils/url.ts with safeUrl() that rejects non-http/https
  protocols; apply to actor.mitre_url, ref.url, intel.url.
  Sanitize framework name to alphanumeric-only before DOM insertion.
  Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp).

Hardcoded credentials (CWE-798):
  verify_gaps.py, create_wiki.py: replace literal passwords with
  environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).

backend/app/routers/professional_reports.py

@@ -2,9 +2,10 @@
 
 # Import UUID from uuid
 from uuid import UUID
+from pathlib import Path
 
-# Import APIRouter, Depends, Query, Request from fastapi
-from fastapi import APIRouter, Depends, Query, Request
+# Import APIRouter, Depends, HTTPException, Query, Request from fastapi
+from fastapi import APIRouter, Depends, HTTPException, Query, Request
 
 # Import FileResponse from fastapi.responses
 from fastapi.responses import FileResponse
@@ -21,12 +22,24 @@ from app.dependencies.auth import get_current_user, require_any_role
 # Import limiter from app.limiter
 from app.limiter import limiter
 
+# Import settings from app.config
+from app.config import settings
+
 # Import User from app.models.user
 from app.models.user import User
 
 # Import report_generation_service from app.services
 from app.services import report_generation_service
 
+
+def _assert_safe_report_path(filepath: str) -> str:
+    """Raise 500 if the generated filepath escapes the configured report directory."""
+    output_dir = Path(settings.REPORT_OUTPUT_DIR).resolve()
+    resolved = Path(filepath).resolve()
+    if not resolved.is_relative_to(output_dir):
+        raise HTTPException(status_code=500, detail="Report generation path error")
+    return filepath
+
 # Assign router = APIRouter(prefix="/reports/generate", tags=["professional-reports"])
 router = APIRouter(prefix="/reports/generate", tags=["professional-reports"])
 
@@ -65,7 +78,7 @@ def generate_purple_report(
     )
     # Return FileResponse(
     return FileResponse(
-        filepath,
+        _assert_safe_report_path(filepath),
         # Keyword argument: media_type
         media_type=_MEDIA_TYPES[format],
         # Keyword argument: filename
@@ -95,7 +108,7 @@ def generate_coverage_report(
     )
     # Return FileResponse(
     return FileResponse(
-        filepath,
+        _assert_safe_report_path(filepath),
         # Keyword argument: media_type
         media_type=_MEDIA_TYPES[format],
         # Keyword argument: filename
@@ -125,7 +138,7 @@ def generate_executive_report(
     )
     # Return FileResponse(
     return FileResponse(
-        filepath,
+        _assert_safe_report_path(filepath),
         # Keyword argument: media_type
         media_type=_MEDIA_TYPES[format],
         # Keyword argument: filename
@@ -155,7 +168,7 @@ def generate_quarterly_report(
     )
     # Return FileResponse(
     return FileResponse(
-        filepath,
+        _assert_safe_report_path(filepath),
         # Keyword argument: media_type
         media_type=_MEDIA_TYPES[format],
         # Keyword argument: filename
@@ -187,7 +200,7 @@ def generate_technique_report(
     )
     # Return FileResponse(
     return FileResponse(
-        filepath,
+        _assert_safe_report_path(filepath),
         # Keyword argument: media_type
         media_type=_MEDIA_TYPES[format],
         # Keyword argument: filename

backend/app/routers/sso.py

@@ -1,6 +1,7 @@
 """Phase 14: SSO / SAML 2.0 router."""
 
 import os
+from urllib.parse import urlparse
 
 from fastapi import APIRouter, Depends, HTTPException, Request, Response
 from fastapi.responses import RedirectResponse
@@ -74,7 +75,10 @@ def sso_login(request: Request, db: Session = Depends(get_db)):
         result = svc.initiate_login(db, request_data)
     except RuntimeError as exc:
         raise HTTPException(status_code=503, detail=str(exc))
-    return RedirectResponse(url=result["redirect_url"])
+    redirect_url = result["redirect_url"]
+    if urlparse(redirect_url).scheme not in ("http", "https"):
+        raise HTTPException(status_code=400, detail="Invalid IdP redirect URL")
+    return RedirectResponse(url=redirect_url)
 
 
 @router.post("/callback")