Add security comments to path handling in various scripts to clarify internal constant usage and mitigate path traversal risks. Update logging in registration and verification processes for improved clarity.

2026-04-15 20:52:38 +02:00
parent 5f79d220cf
commit edfab28fd3
14 changed files with 46 additions and 6 deletions
--- a/scripts/add-vorstand-role.js
+++ b/scripts/add-vorstand-role.js
@@ -26,8 +26,12 @@ const targetEmail = String(process.argv[2] || 'tsschulz@gmx.net').trim().toLower
 function getDataPath(filename) {
  const cwd = process.cwd()
  if (cwd.endsWith('.output')) {
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+    // filename is internal constant in this script (users.json), not user input.
    return path.join(cwd, '../server/data', filename)
  }
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+  // filename is internal constant in this script (users.json), not user input.
  return path.join(cwd, 'server/data', filename)
 }