Backport 14267 to 5.1.x

[mattiagiupponi]

Checklist

Reviewing is a process done by project maintainers, mostly on a volunteer basis. We try to keep the overhead as small as possible and appreciate if you help us to do so by completing the following items. Feel free to ask in a comment if you have troubles with any of them.

For all pull requests:

• Confirm you have read the contribution guidelines
• You have sent a Contribution Licence Agreement (CLA) as necessary (not required for small changes, e.g., fixing typos in the documentation)
• Make sure the first PR targets the master branch, eventual backports will be managed later. This can be ignored if the PR is fixing an issue that only happens in a specific branch, but not in newer ones.

The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):

• There is a ticket in https://github.com/GeoNode/geonode/issues describing the issue/improvement/feature (a notable exemption is, changes not visible to end-users)
• The issue connected to the PR must have Labels and Milestone assigned
• PR for bug fixes and small new features are presented as a single commit
• PR title must be in the form "[Fixes #<issue_number>] Title of the PR"
• New unit tests have been added covering the changes, unless there is an explanation on why the tests are not necessary/implemented

Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.

[gemini-code-assist]

Code Review

This pull request integrates ZIP safety validation into the document upload form to protect against path-traversal, symlinks, and zip bombs, while expanding the covered file extensions to include Office Open XML and OpenDocument formats. It also allows configuring the default maximum upload size via environment variables, updates several project dependencies, and bumps the Nginx image version in the docker-compose configurations. The review feedback recommends seeking the file stream to the beginning before validation to ensure complete data is read.

I am having trouble creating individual review comments. Click here to see my feedback.

geonode/documents/forms.py (149-152)

To ensure defensive programming and robust validation, it is highly recommended to seek the doc_file to the beginning (0) before passing it to validate_safe_zip. If the file stream has been partially or fully read by any previous handlers, validators, or middleware, the ZIP validation might fail or receive incomplete data. Seeking to 0 beforehand prevents this potential issue.

        if doc_file and is_zip_extension(doc_file.name):
            if hasattr(doc_file, "seek"):
                try:
                    doc_file.seek(0)
                except (OSError, ValueError):
                    pass
            source = doc_file.temporary_file_path() if hasattr(doc_file, "temporary_file_path") else doc_file
            try:
                validate_safe_zip(source)