torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(password-reset-log): improve filename sanitization and error handling in getDataPath
Some checks failed
Code Analysis and Production Deploy / analyze (push) Failing after 5m3s
Details
Code Analysis and Production Deploy / deploy-production (push) Has been skipped
Details
Code Analysis and Production Deploy / deploy-test (push) Has been skipped
Details

Browse Source
This commit is contained in:
Torsten Schulz (local)
2026-05-27 19:41:12 +02:00
parent 58fd7fa5c6
commit 026e4ba3e4
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
server/utils/password-reset-log.js
View File

@@ -5,11 +5,16 @@ import path from 'path'
const RETENTION_MS = 72 * 60 * 60 * 1000 const RETENTION_MS = 72 * 60 * 60 * 1000
function getDataPath(filename) { function getDataPath(filename) {
const cwd = process.cwd() // sanitize filename: only allow a simple basename (no path separators)
if (cwd.endsWith('.output')) { const safeName = path.basename(String(filename || ''))
return path.join(cwd, '../server/data', filename) // whitelist valid characters to avoid any traversal or weird names
if (!/^[a-zA-Z0-9._-]+$/.test(safeName)) {
throw new Error('Invalid data filename')
} }
return path.join(cwd, 'server/data', filename)
const cwd = process.cwd()
const dataDir = cwd.endsWith('.output') ? path.join(cwd, '../server/data') : path.join(cwd, 'server/data')
return path.join(dataDir, safeName)
} }
const LOG_FILE = getDataPath('password-reset.log.jsonl') const LOG_FILE = getDataPath('password-reset.log.jsonl')