torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(security): use centralized getServerDataPath in password-reset-log.js
Some checks failed
Code Analysis and Production Deploy / analyze (push) Successful in 5m5s
Details
Code Analysis and Production Deploy / deploy-production (push) Has been skipped
Details
Code Analysis and Production Deploy / deploy-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Torsten Schulz (local)
2026-05-27 19:55:11 +02:00
parent 5074e8f8f8
commit 19d2f21fc3
1 changed files with 2 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
server/utils/password-reset-log.js
View File

@@ -1,31 +1,11 @@
import crypto from 'crypto'
import fs from 'fs/promises'
import path from 'path'
import { getServerDataPath } from './paths.js'
const RETENTION_MS = 72 * 60 * 60 * 1000
function getDataPath(filename) {
// sanitize filename: only allow a simple basename (no path separators)
const safeName = path.basename(String(filename || ''))
// whitelist valid characters to avoid any traversal or weird names
if (!/^[a-zA-Z0-9._-]+$/.test(safeName)) {
throw new Error('Invalid data filename')
}
const cwd = process.cwd()
const dataDir = cwd.endsWith('.output') ? path.join(cwd, '../server/data') : path.join(cwd, 'server/data')
// build candidate path and verify it's inside the expected data directory
const candidate = path.join(dataDir, safeName)
const resolved = path.resolve(candidate)
const resolvedDataDir = path.resolve(dataDir)
if (!resolved.startsWith(resolvedDataDir + path.sep) && resolved !== resolvedDataDir) {
throw new Error('Invalid data filename (outside data directory)')
}
return resolved
}
const LOG_FILE = getDataPath('password-reset.log.jsonl')
const LOG_FILE = getServerDataPath('password-reset.log.jsonl')
export function normalizeResetEmail(email) {
return String(email || '').trim().toLowerCase()