torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 4m56s
Details

Browse Source
This commit is contained in:
Torsten Schulz (local)
2025-12-20 10:49:20 +01:00
parent acfa842131
commit 316cce1b26
49 changed files with 349 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
server/api/personen/upload.post.js
View File

@@ -6,6 +6,8 @@ import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
import { randomUUID } from 'crypto'
// Handle both dev and production paths
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
// filename is always a hardcoded constant ('personen'), never user input
const getDataPath = (filename) => {
const cwd = process.cwd()
if (cwd.endsWith('.output')) {
@@ -94,9 +96,30 @@ export default defineEventHandler(async (event) => {
// Bild mit sharp verarbeiten (EXIF-Orientierung korrigieren und optional resize)
const originalPath = file.path
const ext = path.extname(file.originalname)
// Validiere Dateiendung
const ext = path.extname(file.originalname).toLowerCase()
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif', '.webp']
if (!allowedExtensions.includes(ext)) {
await fs.unlink(file.path).catch(() => {
// Datei bereits gelöscht oder nicht vorhanden, ignorieren
})
throw createError({
statusCode: 400,
statusMessage: 'Ungültige Dateiendung. Nur Bilddateien sind erlaubt.'
})
}
const newFilename = `${randomUUID()}${ext}`
const newPath = path.join(PERSONEN_DIR, newFilename)
// Zusätzliche Sicherheit: Validiere generierten Dateinamen
const sanitizedFilename = path.basename(path.normalize(newFilename))
if (sanitizedFilename !== newFilename) {
throw createError({
statusCode: 500,
statusMessage: 'Fehler beim Generieren des Dateinamens'
})
}
const newPath = path.join(PERSONEN_DIR, sanitizedFilename)
// Bild verarbeiten: EXIF-Orientierung korrigieren
await sharp(originalPath)