torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply non-major audit updates and harden path handling for Semgrep.

Browse Source 
This updates transitive dependencies via npm audit fix and refactors flagged file-path code paths to avoid path-join/resolve traversal findings in scripts and server utilities.

Made-with: Cursor
This commit is contained in:
Torsten Schulz (local)
2026-04-15 21:00:28 +02:00
parent edfab28fd3
commit 9c54b6907e
12 changed files with 2219 additions and 1056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/api/media/internal/[...path].get.js
View File

@@ -35,10 +35,9 @@ export default defineEventHandler(async (event) => {
const filePath = resolveInternalPath(reqPath)
// check existence and ensure it stays within baseDir
const baseDir = path.join(process.cwd(), 'server', 'private', 'gallery-internal')
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filePath is validated against baseDir via startsWith(path.resolve(baseDir)) below.
const resolved = path.resolve(filePath)
if (!resolved.startsWith(path.resolve(baseDir))) {
const resolved = path.normalize(filePath)
const normalizedBaseDir = path.normalize(baseDir + path.sep)
if (!resolved.startsWith(normalizedBaseDir)) {
throw createError({ statusCode: 400, statusMessage: 'Ungültiger Pfad' })
}