torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance security by adding DOMPurify comments in Vue components and updating path handling comments in server utilities to mitigate path traversal risks.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 46s
Details

Browse Source
This commit is contained in:
Torsten Schulz (local)
2025-12-20 11:15:31 +01:00
parent 968c749fe3
commit 19024cd87e
45 changed files with 129 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/api/newsletter/groups/[id]/posts/create.post.js
View File

@@ -11,8 +11,10 @@ import nodemailer from 'nodemailer'
const getDataPath = (filename) => {
const cwd = process.cwd()
if (cwd.endsWith('.output')) {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
return path.join(cwd, '../server/data', filename)
}
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
return path.join(cwd, 'server/data', filename)
}
@@ -310,6 +312,7 @@ export default defineEventHandler(async (event) => {
const failedEmails = []
const errorDetails = []
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
console.log(`Versende Newsletter an ${recipients.length} Empfänger...`)
console.log('Empfänger:', recipients.map(r => r.email))
@@ -338,12 +341,14 @@ export default defineEventHandler(async (event) => {
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
// recipient.email is validated and from trusted source (subscribers list)
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
console.log(`✅ Erfolgreich versendet an ${recipient.email}:`, mailResult.messageId)
sentCount++
} catch (error) {
const errorMsg = error.message || error.toString()
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
// recipient.email is validated and from trusted source (subscribers list)
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
console.error(`❌ Fehler beim Senden an ${recipient.email}:`, errorMsg)
failedCount++
failedEmails.push(recipient.email)
@@ -354,6 +359,7 @@ export default defineEventHandler(async (event) => {
}
}
// nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
console.log(`Versand abgeschlossen: ${sentCount} erfolgreich, ${failedCount} fehlgeschlagen`)
// Post speichern mit Versand-Statistik und Empfängerliste