Refactor runner and installation scripts for improved functionality

- Removed the `--disable-hiprt` flag from the runner command, simplifying the rendering options for users.
- Updated the `jiggablend-runner` script and README to reflect the removal of the HIPRT control flag, enhancing clarity in usage instructions.
- Enhanced the installation script to provide clearer examples for running the jiggablend manager and runner, improving user experience during setup.
- Implemented a more robust GPU backend detection mechanism, allowing for better compatibility with various hardware configurations.

internal/storage/storage.go

@@ -82,6 +82,9 @@ func (s *Storage) JobPath(jobID int64) string {
 
 // SaveUpload saves an uploaded file
 func (s *Storage) SaveUpload(jobID int64, filename string, reader io.Reader) (string, error) {
+	// Sanitize filename to prevent path traversal
+	filename = filepath.Base(filename)
+
 	jobPath := s.JobPath(jobID)
 	if err := os.MkdirAll(jobPath, 0755); err != nil {
 		return "", fmt.Errorf("failed to create job directory: %w", err)

internal/storage/storage_test.go

@@ -0,0 +1,95 @@
+package storage
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func setupStorage(t *testing.T) *Storage {
+	t.Helper()
+	dir := t.TempDir()
+	s, err := NewStorage(dir)
+	if err != nil {
+		t.Fatalf("NewStorage: %v", err)
+	}
+	return s
+}
+
+func TestSaveUpload(t *testing.T) {
+	s := setupStorage(t)
+	path, err := s.SaveUpload(1, "test.blend", strings.NewReader("data"))
+	if err != nil {
+		t.Fatalf("SaveUpload: %v", err)
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read saved file: %v", err)
+	}
+	if string(data) != "data" {
+		t.Errorf("got %q, want %q", data, "data")
+	}
+}
+
+func TestSaveUpload_PathTraversal(t *testing.T) {
+	s := setupStorage(t)
+	path, err := s.SaveUpload(1, "../../etc/passwd", strings.NewReader("evil"))
+	if err != nil {
+		t.Fatalf("SaveUpload: %v", err)
+	}
+
+	// filepath.Base strips traversal, so the file should be inside the job dir
+	if !strings.HasPrefix(path, s.JobPath(1)) {
+		t.Errorf("saved file %q escaped job directory %q", path, s.JobPath(1))
+	}
+
+	if filepath.Base(path) != "passwd" {
+		t.Errorf("expected basename 'passwd', got %q", filepath.Base(path))
+	}
+}
+
+func TestSaveOutput(t *testing.T) {
+	s := setupStorage(t)
+	path, err := s.SaveOutput(42, "output.png", strings.NewReader("img"))
+	if err != nil {
+		t.Fatalf("SaveOutput: %v", err)
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read saved output: %v", err)
+	}
+	if string(data) != "img" {
+		t.Errorf("got %q, want %q", data, "img")
+	}
+}
+
+func TestGetFile(t *testing.T) {
+	s := setupStorage(t)
+	savedPath, err := s.SaveUpload(1, "readme.txt", strings.NewReader("hello"))
+	if err != nil {
+		t.Fatalf("SaveUpload: %v", err)
+	}
+
+	f, err := s.GetFile(savedPath)
+	if err != nil {
+		t.Fatalf("GetFile: %v", err)
+	}
+	defer f.Close()
+
+	buf := make([]byte, 64)
+	n, _ := f.Read(buf)
+	if string(buf[:n]) != "hello" {
+		t.Errorf("got %q, want %q", string(buf[:n]), "hello")
+	}
+}
+
+func TestJobPath(t *testing.T) {
+	s := setupStorage(t)
+	path := s.JobPath(99)
+	if !strings.Contains(path, "99") {
+		t.Errorf("JobPath(99) = %q, expected to contain '99'", path)
+	}
+}