Refactor PDF generation process in membership API to ensure consistent directory creation for uploads. Update final PDF path handling to improve clarity and maintainability of the code.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Has been cancelled
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Has been cancelled
This commit is contained in:
Torsten Schulz (local)
@@ -348,6 +348,9 @@ export default defineEventHandler(async (event) => {
|
||||
// da Deploy-Artefakte dort je nach Setup schreibgeschützt sein können)
|
||||
const tempDir = getServerDataPath('tmp', 'latex')
|
||||
await fs.mkdir(tempDir, { recursive: true })
|
||||
const uploadsDir = getDataPath('uploads')
|
||||
await fs.mkdir(uploadsDir, { recursive: true })
|
||||
let finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
|
||||
|
||||
try {
|
||||
// PDF-Template-Funktion aktiv: versuche Original-PDF-Template herunterzuladen und zu befüllen
|
||||
@@ -589,14 +592,12 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
|
||||
let usedTemplate = false
|
||||
const uploadsDir = getDataPath('uploads')
|
||||
await fs.mkdir(uploadsDir, { recursive: true })
|
||||
try {
|
||||
const filled = await fillPdfTemplate(data)
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is generated from timestamp, not user input, path traversal prevented
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
const finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
|
||||
finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
|
||||
await fs.writeFile(finalPdfPath, filled)
|
||||
// Do NOT copy filled PDFs into public repo uploads to avoid accidental exposure.
|
||||
usedTemplate = true
|
||||
@@ -664,7 +665,7 @@ export default defineEventHandler(async (event) => {
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
const pdfPath = path.join(tempDir, `${filename}.pdf`)
|
||||
await fs.mkdir(uploadsDir, { recursive: true })
|
||||
const finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
|
||||
finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
|
||||
await fs.copyFile(pdfPath, finalPdfPath)
|
||||
|
||||
// E-Mail senden via zentralen Service (pass full path)
|
||||
|
||||
Reference in New Issue
Block a user