fix(security): harden season file paths for semgrep

server/api/mannschaften.get.js

@@ -1,11 +1,35 @@
 import { promises as fs } from 'fs'
-import path from 'path'
 import { getCurrentSeasonSlug, validateSeasonSlug } from '../utils/spielplan-data.js'
 
 function normalizeSeasonFilename(season) {
   return `mannschaften_${season}.csv`
 }
 
+function isAllowedFilename(filename) {
+  return filename === 'mannschaften.csv' || /^mannschaften_\d{2}--\d{2}\.csv$/.test(String(filename || ''))
+}
+
+function buildCsvCandidates(cwd, filename) {
+  const safeFilename = String(filename || '').trim()
+  if (!isAllowedFilename(safeFilename)) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Ungueltiger Dateiname fuer Mannschaften'
+    })
+  }
+
+  return [
+    `${cwd}/server/data/public-data/${safeFilename}`,
+    `${cwd}/../server/data/public-data/${safeFilename}`,
+    `${cwd}/.output/server/data/${safeFilename}`,
+    `${cwd}/server/data/${safeFilename}`,
+    `${cwd}/.output/public/data/${safeFilename}`,
+    `${cwd}/public/data/${safeFilename}`,
+    `${cwd}/../.output/public/data/${safeFilename}`,
+    `${cwd}/../public/data/${safeFilename}`
+  ]
+}
+
 async function exists(p) {
   try {
     await fs.access(p)
@@ -37,16 +61,7 @@ export default defineEventHandler(async (event) => {
     // then legacy locations.
     const candidates = []
     for (const filename of candidateFileNames) {
-      candidates.push(
-        path.join(cwd, 'server/data/public-data', filename),
-        path.join(cwd, '../server/data/public-data', filename),
-        path.join(cwd, '.output/server/data', filename),
-        path.join(cwd, 'server/data', filename),
-        path.join(cwd, '.output/public/data', filename),
-        path.join(cwd, 'public/data', filename),
-        path.join(cwd, '../.output/public/data', filename),
-        path.join(cwd, '../public/data', filename)
-      )
+      candidates.push(...buildCsvCandidates(cwd, filename))
     }
 
     let csvPath = null