Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.

server/api/galerie/[id].delete.js

@@ -3,6 +3,8 @@ import path from 'path'
 import { getUserFromToken, verifyToken } from '../../utils/auth.js'
 
 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant (e.g., 'galerie-metadata.json'), never user input
 const getDataPath = (filename) => {
   const cwd = process.cwd()
   if (cwd.endsWith('.output')) {

server/api/galerie/[id].get.js

@@ -4,6 +4,8 @@ import sharp from 'sharp'
 import { getUserFromToken, verifyToken } from '../../utils/auth.js'
 
 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant (e.g., 'galerie-metadata.json'), never user input
 const getDataPath = (filename) => {
   const cwd = process.cwd()
   if (cwd.endsWith('.output')) {
@@ -74,8 +76,26 @@ export default defineEventHandler(async (event) => {
 
     // Bestimme Dateipfad
     const filename = isPreview ? image.previewFilename : image.filename
+    
+    // Validiere Dateiname gegen Path-Traversal
+    if (!filename || typeof filename !== 'string') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+    
+    // Sanitize filename
+    const sanitizedFilename = path.basename(path.normalize(filename))
+    if (sanitizedFilename.includes('..') || sanitizedFilename.startsWith('/') || sanitizedFilename.startsWith('\\')) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+    
     const subdir = isPreview ? 'previews' : 'originals'
-    const filePath = path.join(GALERIE_DIR, subdir, filename)
+    const filePath = path.join(GALERIE_DIR, subdir, sanitizedFilename)
 
     // Prüfe ob Datei existiert
     try {

server/api/galerie/list.get.js

@@ -3,6 +3,8 @@ import path from 'path'
 import { getUserFromToken, verifyToken } from '../../utils/auth.js'
 
 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant (e.g., 'galerie-metadata.json'), never user input
 const getDataPath = (filename) => {
   const cwd = process.cwd()
   if (cwd.endsWith('.output')) {

server/api/galerie/upload.post.js

@@ -6,6 +6,8 @@ import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
 
 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant (e.g., 'galerie-metadata.json'), never user input
 const getDataPath = (filename) => {
   const cwd = process.cwd()
   if (cwd.endsWith('.output')) {
@@ -134,7 +136,20 @@ export default defineEventHandler(async (event) => {
       .replace(/[^a-z0-9]+/g, '-')
       .replace(/^-+|-+$/g, '')
       .substring(0, 100) // Max 100 Zeichen
-    const ext = path.extname(file.originalname)
+    
+    // Validiere Dateiendung
+    const ext = path.extname(file.originalname).toLowerCase()
+    const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif', '.webp']
+    if (!allowedExtensions.includes(ext)) {
+      await fs.unlink(file.path).catch(() => {
+        // Datei bereits gelöscht oder nicht vorhanden, ignorieren
+      })
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültige Dateiendung. Nur Bilddateien sind erlaubt.'
+      })
+    }
+    
     const filename = `${titleSlug}_${randomUUID().substring(0, 8)}${ext}`
     const previewFilename = `preview_${filename}`