torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply non-major audit updates and harden path handling for Semgrep.

Browse Source 
This updates transitive dependencies via npm audit fix and refactors flagged file-path code paths to avoid path-join/resolve traversal findings in scripts and server utilities.

Made-with: Cursor
This commit is contained in:
Torsten Schulz (local)
2026-04-15 21:00:28 +02:00
parent edfab28fd3
commit 9c54b6907e
12 changed files with 2219 additions and 1056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/add-vorstand-role.js
View File

@@ -23,16 +23,12 @@ dotenv.config({ path: path.join(__dirname, '..', '.env') })
const targetEmail = String(process.argv[2] || 'tsschulz@gmx.net').trim().toLowerCase()
function getDataPath(filename) {
function getUsersFilePath() {
const cwd = process.cwd()
if (cwd.endsWith('.output')) {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is internal constant in this script (users.json), not user input.
return path.join(cwd, '../server/data', filename)
return `${cwd}/../server/data/users.json`
}
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is internal constant in this script (users.json), not user input.
return path.join(cwd, 'server/data', filename)
return `${cwd}/server/data/users.json`
}
async function createBackup(filePath) {
@@ -44,7 +40,7 @@ async function createBackup(filePath) {
}
async function main() {
const usersFile = getDataPath('users.json')
const usersFile = getUsersFilePath()
console.log(`Suche Benutzer: ${targetEmail}`)

24
scripts/generate-galerie-previews.js
View File

@@ -2,18 +2,14 @@ import fs from 'fs/promises'
import path from 'path'
import sharp from 'sharp'
const getDataPath = (filename) => {
const getDataRoot = () => {
const cwd = process.cwd()
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is internal constant in this script.
if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is internal constant in this script.
return path.join(cwd, 'server/data', filename)
return cwd.endsWith('.output') ? `${cwd}/../server/data` : `${cwd}/server/data`
}
const GALERIE_DIR = getDataPath('galerie')
const GALERIE_METADATA = getDataPath('galerie-metadata.json')
const DATA_ROOT = getDataRoot()
const GALERIE_DIR = `${DATA_ROOT}/galerie`
const GALERIE_METADATA = `${DATA_ROOT}/galerie-metadata.json`
async function readJsonArray(file) {
try {
@@ -45,18 +41,16 @@ async function fileExists(p) {
}
async function generatePreviewForEntry(entry, size) {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// entry.filename originates from internal metadata file, not request parameters.
const original = path.join(GALERIE_DIR, 'originals', entry.filename)
const safeOriginal = path.basename(String(entry.filename || ''))
const original = `${GALERIE_DIR}/originals/${safeOriginal}`
if (!(await fileExists(original))) return { ok: false, reason: 'missing original' }
const previewFilename = entry.previewFilename && String(entry.previewFilename).trim() !== ''
? entry.previewFilename
: `preview_${entry.filename}`
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// previewFilename is generated from metadata/internal naming conventions.
const preview = path.join(GALERIE_DIR, 'previews', previewFilename)
const safePreview = path.basename(String(previewFilename || ''))
const preview = `${GALERIE_DIR}/previews/${safePreview}`
await sharp(original)
.rotate()

5
scripts/inspect-forms.js
View File

@@ -70,9 +70,8 @@ async function main() {
if (fs.existsSync(internalUploads)) {
pdfFiles = fs.readdirSync(internalUploads).filter(f => f.toLowerCase().endsWith('.pdf'))
.map(f => {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// f comes from fs.readdirSync(internalUploads), not external input.
const filePath = path.join(internalUploads, f)
const safeName = path.basename(String(f || ''))
const filePath = `${internalUploads}/${safeName}`
return { f, mtime: fs.statSync(filePath).mtimeMs, dir: internalUploads }
})
}

14
scripts/migrate-public-galerie-to-metadata.js
View File

@@ -4,18 +4,14 @@ import { randomUUID } from 'crypto'
const allowed = new Set(['.jpg', '.jpeg', '.png', '.gif', '.webp', '.svg'])
const getDataPath = (filename) => {
const getDataRoot = () => {
const cwd = process.cwd()
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is internal constant in this script.
if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is internal constant in this script.
return path.join(cwd, 'server/data', filename)
return cwd.endsWith('.output') ? `${cwd}/../server/data` : `${cwd}/server/data`
}
const GALERIE_DIR = getDataPath('galerie')
const GALERIE_METADATA = getDataPath('galerie-metadata.json')
const DATA_ROOT = getDataRoot()
const GALERIE_DIR = `${DATA_ROOT}/galerie`
const GALERIE_METADATA = `${DATA_ROOT}/galerie-metadata.json`
const PUBLIC_GALERIE_DIR = path.join(process.cwd(), 'public', 'galerie')
function titleFromFilename(filename) {

5
scripts/re-encrypt-membership-applications.js
View File

@@ -13,9 +13,8 @@ if (!KEY) {
}
async function reencryptFile(file) {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// file comes from fs.readdir(DIR) and is constrained to *.json below.
const filePath = path.join(DIR, file)
const safeFile = path.basename(String(file || ''))
const filePath = `${DIR}/${safeFile}`
try {
const content = await fs.readFile(filePath, 'utf8')
// Prüfe, ob bereits verschlüsselt (v2: Prefix)