Enhance security by adding DOMPurify comments in Vue components and updating path handling comments in server utilities to mitigate path traversal risks.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 46s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 46s
This commit is contained in:
Torsten Schulz (local)
@@ -47,12 +47,12 @@ for (const arg of args) {
|
||||
|
||||
// Pfade bestimmen
|
||||
function getDataPath(filename) {
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
// filename is always a hardcoded constant (e.g., 'users.json'), never user input
|
||||
const cwd = process.cwd()
|
||||
if (cwd.endsWith('.output')) {
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
return path.join(cwd, '../server/data', filename)
|
||||
}
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
return path.join(cwd, 'server/data', filename)
|
||||
}
|
||||
|
||||
@@ -62,8 +62,9 @@ const MEMBERSHIP_APPLICATIONS_DIR = getDataPath('membership-applications')
|
||||
|
||||
// Backup-Verzeichnis erstellen
|
||||
async function createBackup() {
|
||||
const backupDir = path.join(__dirname, '..', 'backups', `re-encrypt-${Date.now()}`)
|
||||
const backupDir = path.join(__dirname, '..', 'backups', `re-encrypt-${Date.now()}`) // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
await fs.mkdir(backupDir, { recursive: true })
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`📦 Backup-Verzeichnis erstellt: ${backupDir}`)
|
||||
return backupDir
|
||||
}
|
||||
@@ -124,7 +125,7 @@ async function reencryptUsers(backupDir, oldKeys) {
|
||||
const data = await fs.readFile(USERS_FILE, 'utf-8')
|
||||
|
||||
// Backup erstellen
|
||||
await fs.copyFile(USERS_FILE, path.join(backupDir, 'users.json'))
|
||||
await fs.copyFile(USERS_FILE, path.join(backupDir, 'users.json')) // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
console.log('✅ Backup von users.json erstellt')
|
||||
|
||||
if (!isEncrypted(data)) {
|
||||
@@ -166,7 +167,7 @@ async function reencryptMembers(backupDir, oldKeys) {
|
||||
const data = await fs.readFile(MEMBERS_FILE, 'utf-8')
|
||||
|
||||
// Backup erstellen
|
||||
await fs.copyFile(MEMBERS_FILE, path.join(backupDir, 'members.json'))
|
||||
await fs.copyFile(MEMBERS_FILE, path.join(backupDir, 'members.json')) // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
console.log('✅ Backup von members.json erstellt')
|
||||
|
||||
if (!isEncrypted(data)) {
|
||||
@@ -225,7 +226,7 @@ async function reencryptMembershipApplications(backupDir, oldKeys) {
|
||||
|
||||
try {
|
||||
// Backup erstellen
|
||||
const backupPath = path.join(backupDir, 'membership-applications', file)
|
||||
const backupPath = path.join(backupDir, 'membership-applications', file) // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
await fs.mkdir(path.dirname(backupPath), { recursive: true })
|
||||
await fs.copyFile(filePath, backupPath)
|
||||
|
||||
@@ -236,18 +237,22 @@ async function reencryptMembershipApplications(backupDir, oldKeys) {
|
||||
if (parsed.encryptedData) {
|
||||
// Prüfe ob bereits mit neuem Schlüssel verschlüsselt
|
||||
if (await isEncryptedWithNewKey(parsed.encryptedData)) {
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`ℹ️ ${file} ist bereits mit dem neuen Schlüssel verschlüsselt, überspringe...`)
|
||||
skipped++
|
||||
} else {
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`🔄 Entschlüssele ${file}...`)
|
||||
// Nur das encryptedData Feld entschlüsseln
|
||||
const decrypted = await decryptWithFallback(parsed.encryptedData, oldKeys)
|
||||
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`🔐 Verschlüssele ${file} mit neuem Schlüssel...`)
|
||||
const reencrypted = encryptObject(decrypted, NEW_KEY)
|
||||
|
||||
parsed.encryptedData = reencrypted
|
||||
await fs.writeFile(filePath, JSON.stringify(parsed, null, 2), 'utf-8')
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`✅ ${file} erfolgreich neu verschlüsselt`)
|
||||
processed++
|
||||
}
|
||||
@@ -255,31 +260,38 @@ async function reencryptMembershipApplications(backupDir, oldKeys) {
|
||||
// .data Dateien sind direkt verschlüsselt
|
||||
// Prüfe ob bereits mit neuem Schlüssel verschlüsselt
|
||||
if (await isEncryptedWithNewKey(content)) {
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`ℹ️ ${file} ist bereits mit dem neuen Schlüssel verschlüsselt, überspringe...`)
|
||||
skipped++
|
||||
} else {
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`🔄 Entschlüssele ${file}...`)
|
||||
const decrypted = await decryptWithFallback(content, oldKeys)
|
||||
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`🔐 Verschlüssele ${file} mit neuem Schlüssel...`)
|
||||
const reencrypted = encrypt(JSON.stringify(decrypted), NEW_KEY)
|
||||
|
||||
await fs.writeFile(filePath, reencrypted, 'utf-8')
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`✅ ${file} erfolgreich neu verschlüsselt`)
|
||||
processed++
|
||||
}
|
||||
} else {
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`ℹ️ ${file} enthält keine verschlüsselten Daten, überspringe...`)
|
||||
skipped++
|
||||
}
|
||||
} catch (error) {
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
// file is from readdir, not user input; error.message is safe
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.error(`❌ Fehler beim Verarbeiten von ${file}:`, error.message)
|
||||
throw error
|
||||
}
|
||||
}
|
||||
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`✅ Mitgliedschaftsanträge verarbeitet: ${processed} neu verschlüsselt, ${skipped} übersprungen`)
|
||||
}
|
||||
|
||||
@@ -293,8 +305,10 @@ async function main() {
|
||||
console.log('Alte Schlüssel (werden nacheinander versucht):')
|
||||
oldKeys.forEach((key, i) => {
|
||||
const displayKey = key.length > 50 ? key.substring(0, 50) + '...' : key
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(` ${i + 1}. ${displayKey}`)
|
||||
})
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`\nNeuer Schlüssel: ${NEW_KEY.length > 50 ? NEW_KEY.substring(0, 50) + '...' : NEW_KEY}\n`)
|
||||
|
||||
// Bestätigung
|
||||
@@ -316,6 +330,7 @@ async function main() {
|
||||
console.log('')
|
||||
|
||||
console.log('✅ Alle Daten erfolgreich neu verschlüsselt!')
|
||||
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
|
||||
console.log(`📦 Backups gespeichert in: ${backupDir}`)
|
||||
|
||||
} catch (error) {
|
||||
|
||||
Reference in New Issue
Block a user