Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 4m56s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 4m56s
This commit is contained in:
Torsten Schulz (local)
@@ -3,6 +3,8 @@ import path from 'path'
|
||||
import sharp from 'sharp'
|
||||
|
||||
// Handle both dev and production paths
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
// filename is always a hardcoded constant ('personen'), never user input
|
||||
const getDataPath = (filename) => {
|
||||
const cwd = process.cwd()
|
||||
if (cwd.endsWith('.output')) {
|
||||
@@ -32,7 +34,16 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
}
|
||||
|
||||
const filePath = path.join(PERSONEN_DIR, filename)
|
||||
// Zusätzliche Path-Traversal-Prüfung
|
||||
const sanitizedFilename = path.basename(path.normalize(filename))
|
||||
if (sanitizedFilename !== filename || sanitizedFilename.includes('..')) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: 'Ungültiger Dateiname'
|
||||
})
|
||||
}
|
||||
|
||||
const filePath = path.join(PERSONEN_DIR, sanitizedFilename)
|
||||
|
||||
// Prüfe ob Datei existiert
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user