Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.

2025-12-20 10:49:20 +01:00
parent acfa842131
commit 316cce1b26
49 changed files with 349 additions and 23 deletions
--- a/server/api/galerie/[id].get.js
+++ b/server/api/galerie/[id].get.js
@@ -4,6 +4,8 @@ import sharp from 'sharp'
 import { getUserFromToken, verifyToken } from '../../utils/auth.js'

 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant (e.g., 'galerie-metadata.json'), never user input
 const getDataPath = (filename) => {
  const cwd = process.cwd()
  if (cwd.endsWith('.output')) {
@@ -74,8 +76,26 @@ export default defineEventHandler(async (event) => {

    // Bestimme Dateipfad
    const filename = isPreview ? image.previewFilename : image.filename
+    
+    // Validiere Dateiname gegen Path-Traversal
+    if (!filename || typeof filename !== 'string') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+    
+    // Sanitize filename
+    const sanitizedFilename = path.basename(path.normalize(filename))
+    if (sanitizedFilename.includes('..') || sanitizedFilename.startsWith('/') || sanitizedFilename.startsWith('\\')) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+    
    const subdir = isPreview ? 'previews' : 'originals'
-    const filePath = path.join(GALERIE_DIR, subdir, filename)
+    const filePath = path.join(GALERIE_DIR, subdir, sanitizedFilename)

    // Prüfe ob Datei existiert
    try {