Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.

2025-12-20 10:49:20 +01:00
parent acfa842131
commit 316cce1b26
49 changed files with 349 additions and 23 deletions
--- a/server/api/spielplan/download/[filename].get.js
+++ b/server/api/spielplan/download/[filename].get.js
@@ -36,6 +36,15 @@ export default defineEventHandler(async (event) => {
      })
    }
    
+    // Zusätzliche Path-Traversal-Prüfung
+    const sanitizedFilename = path.basename(path.normalize(filename))
+    if (sanitizedFilename !== filename || sanitizedFilename.includes('..')) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+    
    let filePath
    
    if (isDynamicMannschaft) {
@@ -44,7 +53,7 @@ export default defineEventHandler(async (event) => {
      filePath = path.join(process.cwd(), 'public', 'documents', 'spielplaene', 'spielplan_gesamt.pdf')
    } else {
      // Für vordefinierte PDFs
-      filePath = path.join(process.cwd(), 'public', 'documents', 'spielplaene', filename)
+      filePath = path.join(process.cwd(), 'public', 'documents', 'spielplaene', sanitizedFilename)
    }
    
    // Prüfe ob Datei existiert