Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.

2025-12-20 10:49:20 +01:00
parent acfa842131
commit 316cce1b26
49 changed files with 349 additions and 23 deletions
--- a/server/api/personen/[filename].get.js
+++ b/server/api/personen/[filename].get.js
@@ -3,6 +3,8 @@ import path from 'path'
 import sharp from 'sharp'

 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant ('personen'), never user input
 const getDataPath = (filename) => {
  const cwd = process.cwd()
  if (cwd.endsWith('.output')) {
@@ -32,7 +34,16 @@ export default defineEventHandler(async (event) => {
      })
    }

-    const filePath = path.join(PERSONEN_DIR, filename)
+    // Zusätzliche Path-Traversal-Prüfung
+    const sanitizedFilename = path.basename(path.normalize(filename))
+    if (sanitizedFilename !== filename || sanitizedFilename.includes('..')) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+
+    const filePath = path.join(PERSONEN_DIR, sanitizedFilename)

    // Prüfe ob Datei existiert
    try {
--- a/server/api/personen/upload.post.js
+++ b/server/api/personen/upload.post.js
@@ -6,6 +6,8 @@ import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'

 // Handle both dev and production paths
+// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+// filename is always a hardcoded constant ('personen'), never user input
 const getDataPath = (filename) => {
  const cwd = process.cwd()
  if (cwd.endsWith('.output')) {
@@ -94,9 +96,30 @@ export default defineEventHandler(async (event) => {

    // Bild mit sharp verarbeiten (EXIF-Orientierung korrigieren und optional resize)
    const originalPath = file.path
-    const ext = path.extname(file.originalname)
+    
+    // Validiere Dateiendung
+    const ext = path.extname(file.originalname).toLowerCase()
+    const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif', '.webp']
+    if (!allowedExtensions.includes(ext)) {
+      await fs.unlink(file.path).catch(() => {
+        // Datei bereits gelöscht oder nicht vorhanden, ignorieren
+      })
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültige Dateiendung. Nur Bilddateien sind erlaubt.'
+      })
+    }
+    
    const newFilename = `${randomUUID()}${ext}`
-    const newPath = path.join(PERSONEN_DIR, newFilename)
+    // Zusätzliche Sicherheit: Validiere generierten Dateinamen
+    const sanitizedFilename = path.basename(path.normalize(newFilename))
+    if (sanitizedFilename !== newFilename) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'Fehler beim Generieren des Dateinamens'
+      })
+    }
+    const newPath = path.join(PERSONEN_DIR, sanitizedFilename)

    // Bild verarbeiten: EXIF-Orientierung korrigieren
    await sharp(originalPath)