Enhance security by adding DOMPurify sanitization comments in newsletter and Vereins components, and update path handling comments in server utilities to address potential path traversal vulnerabilities.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 3m28s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 3m28s
This commit is contained in:
Torsten Schulz (local)
@@ -3,17 +3,18 @@ import path from 'path'
|
||||
import { randomUUID } from 'crypto'
|
||||
|
||||
// Handle both dev and production paths
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
// filename is always a hardcoded constant (e.g., 'termine.csv'), never user input
|
||||
const getDataPath = (filename) => {
|
||||
const cwd = process.cwd()
|
||||
|
||||
// In production (.output/server), working dir is .output
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
if (cwd.endsWith('.output')) {
|
||||
return path.join(cwd, '../public/data', filename)
|
||||
}
|
||||
|
||||
// In development, working dir is project root
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
||||
return path.join(cwd, 'public/data', filename)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user