Endpoints can access anything on server local filesystem

Endpoints that take an absolute path e.g. '/paths/watch_input' are technically a vulnerability; best to limit this to a top-level data directory

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information