Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 4m56s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 4m56s
This commit is contained in:
Torsten Schulz (local)
@@ -6,6 +6,8 @@ import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
|
||||
import { randomUUID } from 'crypto'
|
||||
|
||||
// Handle both dev and production paths
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
// filename is always a hardcoded constant (e.g., 'galerie-metadata.json'), never user input
|
||||
const getDataPath = (filename) => {
|
||||
const cwd = process.cwd()
|
||||
if (cwd.endsWith('.output')) {
|
||||
@@ -134,7 +136,20 @@ export default defineEventHandler(async (event) => {
|
||||
.replace(/[^a-z0-9]+/g, '-')
|
||||
.replace(/^-+|-+$/g, '')
|
||||
.substring(0, 100) // Max 100 Zeichen
|
||||
const ext = path.extname(file.originalname)
|
||||
|
||||
// Validiere Dateiendung
|
||||
const ext = path.extname(file.originalname).toLowerCase()
|
||||
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif', '.webp']
|
||||
if (!allowedExtensions.includes(ext)) {
|
||||
await fs.unlink(file.path).catch(() => {
|
||||
// Datei bereits gelöscht oder nicht vorhanden, ignorieren
|
||||
})
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: 'Ungültige Dateiendung. Nur Bilddateien sind erlaubt.'
|
||||
})
|
||||
}
|
||||
|
||||
const filename = `${titleSlug}_${randomUUID().substring(0, 8)}${ext}`
|
||||
const previewFilename = `preview_${filename}`
|
||||
|
||||
|
||||
Reference in New Issue
Block a user