fix(security): handle null bytes in filename + fix test assertion

- DocumentService.sanitizeFilename(): strip null bytes before FilenameUtils.getName()
  (commons-io rejects \0 with IllegalArgumentException)
- DocumentServiceTest: fix '..' assertion — code returns 'document', not UUID

cannamanage-service/src/main/java/de/cannamanage/service/DocumentService.java

@@ -211,9 +211,14 @@ public class DocumentService {
         if (original == null || original.isBlank()) {
             return UUID.randomUUID().toString();
         }
+        // Strip null bytes first — FilenameUtils.getName() throws on \0
+        String safe = original.replace("\0", "");
+        if (safe.isBlank()) {
+            return UUID.randomUUID().toString();
+        }
         // Strip path components using commons-io — handles both Unix and Windows separators
         // regardless of the current platform (unlike Paths.get which is platform-dependent)
-        String name = FilenameUtils.getName(original);
+        String name = FilenameUtils.getName(safe);
         if (name == null || name.isBlank()) {
             return "document";
         }

cannamanage-service/src/test/java/de/cannamanage/service/DocumentServiceTest.java

@@ -167,10 +167,10 @@ class DocumentServiceTest {
                     clubId, "Dots", DocumentCategory.SONSTIGES,
                     DocumentAccessLevel.ALL_MEMBERS, null, file, uploadedBy);
 
-            // ".." is explicitly caught → UUID fallback
+            // ".." is explicitly caught → "document" fallback
             assertThat(result.getFilename()).isNotEqualTo("..");
             assertThat(result.getFilename()).isNotBlank();
-            assertThat(result.getFilename()).matches("[a-f0-9\\-]+");
+            assertThat(result.getFilename()).isEqualTo("document");
         }
     }