Fix security issues found during code review

[Gahrcoder]

Summary

Found several security and correctness issues while reading through the server and model loading code. Fixes below, one per commit.

Changes

1. Path traversal in voice prompt loading (server.py)

The voice_prompt query parameter from WebSocket clients was passed directly to os.path.join() without sanitization. A request like voice_prompt=../../etc/passwd could escape the voice prompt directory. Now rejects any filename containing path separators.

2. Unsafe torch.load() calls (lm.py, loaders.py)

Four torch.load() calls were missing weights_only=True, which means they use pickle deserialization under the hood. Since voice prompt .pt files can come from user-controllable paths, this is a code execution risk. Added weights_only=True to all four call sites.

3. Tarfile extraction without member validation (server.py, offline.py)

tar.extractall() was called without checking member paths. Malicious tar archives can include entries like ../../.bashrc that write outside the target directory (zip-slip). Added a _safe_tar_extract() helper that validates all member paths resolve within the destination before extracting.

4. Static file server follows symlinks (server.py)

follow_symlinks=True on the static file route means symlinks in the static directory can serve arbitrary files. Changed to follow_symlinks=False.

5. Wrong request access for seed parameter (server.py)

int(request["seed"]) raises a TypeError — should be int(request.query["seed"]) to match the in request.query guard above it.

6. Duplicate import random (server.py)

random was imported twice (lines 31 and 46). Removed the duplicate.

Testing

All changes are backwards-compatible. The weights_only=True flag works with standard state dict checkpoints. The tar extraction helper is a strict superset of extractall() behavior for well-formed archives.