fix: validate domain_name to prevent path injection; fix toggle revert logic

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/9088415a-efc3-4dd1-9c22-877a543af47b

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>

app/sovran_systemsos_web/server.py

@@ -929,9 +929,19 @@ class DomainSetRequest(BaseModel):
     ddns_url: str = ""
 
 
+_SAFE_NAME_RE = re.compile(r'^[a-zA-Z0-9_-]+$')
+
+
+def _validate_safe_name(name: str) -> bool:
+    """Return True if name contains only safe path characters (no separators)."""
+    return bool(name) and _SAFE_NAME_RE.match(name) is not None
+
+
 @app.post("/api/domains/set")
 async def api_domains_set(req: DomainSetRequest):
     """Save a domain and optionally register a DDNS URL."""
+    if not _validate_safe_name(req.domain_name):
+        raise HTTPException(status_code=400, detail="Invalid domain_name")
     os.makedirs(DOMAINS_DIR, exist_ok=True)
     domain_path = os.path.join(DOMAINS_DIR, req.domain_name)
     with open(domain_path, "w") as f: