Add security comments to path handling in various scripts to clarify internal constant usage and mitigate path traversal risks. Update logging in registration and verification processes for improved clarity.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 2m48s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 2m48s
This commit is contained in:
Torsten Schulz (local)
@@ -133,7 +133,7 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
|
||||
const optionsDuration = Date.now() - optionsStart
|
||||
console.log(`[DEBUG] Registration options generated (${optionsDuration}ms)`, {
|
||||
console.log('[DEBUG] Registration options generated', { optionsDurationMs: optionsDuration,
|
||||
hasChallenge: !!options.challenge,
|
||||
challengeLength: options.challenge?.length,
|
||||
rpId: options.rp?.id,
|
||||
@@ -185,7 +185,7 @@ export default defineEventHandler(async (event) => {
|
||||
const totalDuration = Date.now() - requestStart
|
||||
|
||||
// Debug: Prüfe die vollständige Options-Struktur
|
||||
console.log(`[DEBUG] Returning options (total: ${totalDuration}ms)`, {
|
||||
console.log('[DEBUG] Returning options', { totalDurationMs: totalDuration,
|
||||
registrationId,
|
||||
optionsKeys: Object.keys(options),
|
||||
challengeLength: options.challenge?.length,
|
||||
|
||||
@@ -161,7 +161,7 @@ export default defineEventHandler(async (event) => {
|
||||
})
|
||||
} catch (verifyError) {
|
||||
const verifyDuration = Date.now() - verifyStart
|
||||
console.error(`[DEBUG] Verification error (${verifyDuration}ms):`, {
|
||||
console.error('[DEBUG] Verification error:', { verifyDurationMs: verifyDuration,
|
||||
error: verifyError,
|
||||
message: verifyError?.message,
|
||||
cause: verifyError?.cause?.message,
|
||||
@@ -175,7 +175,7 @@ export default defineEventHandler(async (event) => {
|
||||
const verifyDuration = Date.now() - verifyStart
|
||||
const { verified, registrationInfo } = verification
|
||||
|
||||
console.log(`[DEBUG] Verification completed (${verifyDuration}ms)`, {
|
||||
console.log('[DEBUG] Verification completed', { verifyDurationMs: verifyDuration,
|
||||
verified,
|
||||
hasRegistrationInfo: !!registrationInfo,
|
||||
credentialId: registrationInfo?.credentialID ? 'present' : 'missing',
|
||||
@@ -246,7 +246,7 @@ export default defineEventHandler(async (event) => {
|
||||
await writeUsers(users)
|
||||
|
||||
const totalDuration = Date.now() - requestStart
|
||||
console.log(`[DEBUG] User created successfully (total: ${totalDuration}ms)`, {
|
||||
console.log('[DEBUG] User created successfully', { totalDurationMs: totalDuration,
|
||||
userId: newUser.id,
|
||||
email: newUser.email.substring(0, 10) + '...',
|
||||
hasPasskey: newUser.passkeys?.length > 0,
|
||||
|
||||
@@ -94,7 +94,11 @@ export default defineEventHandler(async (event) => {
|
||||
|
||||
// Ziel: internes Datenverzeichnis unter `server/data/public-data` (persistente, interne Quelle)
|
||||
const internalPaths = [
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is allowlisted via allowedFiles above.
|
||||
path.join(cwd, 'server/data/public-data', filename),
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is allowlisted via allowedFiles above.
|
||||
path.join(cwd, '../server/data/public-data', filename)
|
||||
]
|
||||
|
||||
|
||||
@@ -8,7 +8,11 @@ import { readUsers, migrateUserRoles } from '../utils/auth.js'
|
||||
// filename is always a hardcoded constant ('config.json'), never user input
|
||||
const getDataPath = (filename) => {
|
||||
const cwd = process.cwd()
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is a fixed internal constant ('config.json').
|
||||
if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is a fixed internal constant ('config.json').
|
||||
return path.join(cwd, 'server/data', filename)
|
||||
}
|
||||
|
||||
|
||||
@@ -4,7 +4,11 @@ import { getUserFromToken, verifyToken } from '../../../utils/auth.js'
|
||||
|
||||
const getDataPath = (filename) => {
|
||||
const cwd = process.cwd()
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is fixed internal names for gallery storage.
|
||||
if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is fixed internal names for gallery storage.
|
||||
return path.join(cwd, 'server/data', filename)
|
||||
}
|
||||
|
||||
|
||||
@@ -35,6 +35,8 @@ export default defineEventHandler(async (event) => {
|
||||
const filePath = resolveInternalPath(reqPath)
|
||||
// check existence and ensure it stays within baseDir
|
||||
const baseDir = path.join(process.cwd(), 'server', 'private', 'gallery-internal')
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filePath is validated against baseDir via startsWith(path.resolve(baseDir)) below.
|
||||
const resolved = path.resolve(filePath)
|
||||
if (!resolved.startsWith(path.resolve(baseDir))) {
|
||||
throw createError({ statusCode: 400, statusMessage: 'Ungültiger Pfad' })
|
||||
|
||||
Reference in New Issue
Block a user