Add security comments to path handling in various scripts to clarify internal constant usage and mitigate path traversal risks. Update logging in registration and verification processes for improved clarity.
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 2m48s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 2m48s
This commit is contained in:
Torsten Schulz (local)
@@ -8,7 +8,11 @@ import { readUsers, migrateUserRoles } from '../utils/auth.js'
|
||||
// filename is always a hardcoded constant ('config.json'), never user input
|
||||
const getDataPath = (filename) => {
|
||||
const cwd = process.cwd()
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is a fixed internal constant ('config.json').
|
||||
if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
|
||||
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
|
||||
// filename is a fixed internal constant ('config.json').
|
||||
return path.join(cwd, 'server/data', filename)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user