Add input validation, request timeouts, and size limits

[tacheraSasi]

Summary

Add input validation and request size limits to prevent abuse and resource exhaustion.

Current State

• Max upload size is configurable (-max-upload, default 100MB)
• No request body size limit on non-upload endpoints
• No validation on filenames, paths, or query parameters for path traversal
• No timeout on request reads

Tasks

• Add http.MaxBytesReader on all non-upload endpoints (e.g., 1MB for API requests)
• Add read/write timeouts to http.Server (e.g., 30s read, 60s write)
• Add idle timeout (e.g., 120s)
• Validate and sanitize uploaded filenames (strip path separators, null bytes)
• Validate path parameters against directory traversal (../)
• Add header size limits via http.Server.MaxHeaderBytes

Why

Without input validation and timeouts, the server is vulnerable to slowloris attacks, resource exhaustion, and path traversal exploits.