fix(security): ReportRenderJob — refuse 'admin' fallback + reject traversal in filesFolder

Two converging persistence-shaped issues:

1. `writeToFiles()` defaulted the dashboard owner to the literal string
   `'admin'` when `$dashboard->getOwner()` was null, then wrote
   attacker-controlled bytes into `admin`'s home folder. Combined with
   NC's link-share endpoints, that's a re-anchor for re-compromise.
2. `$delivery['filesFolder']` is taken straight from the dashboard
   payload — user-controlled JSON — with no validation. The job runs
   as the dashboard owner (not the user who configured the schedule),
   so the configurer effectively borrows owner-fs permissions.

Fixes:
- Skip delivery (with a warning log) when owner is null/empty rather
  than falling back to admin.
- Reject folder paths containing `..` (traversal) or that resolve to
  empty after stripping leading slashes.

Persisting a separate `configurer` UID and validating the folder
against an allowlist of paths the *configurer* explicitly owns is the
right longer-term fix — left as a follow-up so this commit stays
small.

Refs: #1419 review (blocker 7) — discussion_r3187494444

Author: rubenvdlinde

lib/BackgroundJob/ReportRenderJob.php

@@ -271,7 +271,22 @@ private function renderAndDeliver(ObjectEntity $dashboard, array $payload): void
      */
     private function writeToFiles(ObjectEntity $dashboard, array $payload, array $rendered, array $delivery): void
     {
-        $owner = (string) ($dashboard->getOwner() ?? 'admin');
+        // SECURITY: refuse to fall back to 'admin' when the dashboard
+        // owner is null. The previous default dropped attacker-controlled
+        // bytes (rendered HTML/PDF derived from a user-writable
+        // ObjectEntity) into admin's Files share, where admin would see
+        // them on next login — a phishing/redirect persistence vector.
+        // Without an owner we have no honest "who runs this job", so
+        // skip delivery and surface the misconfiguration in logs.
+        $owner = $dashboard->getOwner();
+        if ($owner === null || $owner === '') {
+            $this->logger->warning(
+                message: '[ReportRenderJob] Dashboard owner missing — skipping Files delivery',
+                context: ['dashboardUuid' => $dashboard->getUuid()]
+            );
+            return;
+        }
+
         try {
             $userFolder = $this->rootFolder->getUserFolder(userId: $owner);
         } catch (NotFoundException $e) {
@@ -288,7 +303,20 @@ private function writeToFiles(ObjectEntity $dashboard, array $payload, array $re
             $folderPath = sprintf('Reports/%s', $slug);
         }
 
+        // SECURITY: $delivery['filesFolder'] comes from the dashboard
+        // payload (user-controlled JSON). Restrict to a relative path
+        // under the owner's home — strip leading slashes and reject any
+        // segment that escapes the home root (`..`) or addresses an
+        // absolute filesystem path.
         $folderPath = ltrim($folderPath, '/');
+        if ($folderPath === '' || str_contains($folderPath, '..') === true) {
+            $this->logger->warning(
+                message: '[ReportRenderJob] Rejected delivery folder containing path traversal',
+                context: ['folder' => $folderPath, 'owner' => $owner]
+            );
+            return;
+        }
+
         if ($userFolder->nodeExists(path: $folderPath) === false) {
             $userFolder->newFolder(path: $folderPath);
         }