torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c9037fec45032afbca02b85e115247c5774cf5f3
harheimertc/server/api/newsletter/create.post.js
Torsten Schulz (local) c9037fec45
All checks were successful
Code Analysis (JS/Vue) / analyze (push) Successful in 3m19s
Details
Update path handling comments across multiple files to enhance security against path traversal vulnerabilities, ensuring consistent use of nosemgrep annotations for better code analysis.
2025-12-20 14:49:57 +01:00

120 lines
3.5 KiB
JavaScript
Raw Blame History

import fs from 'fs/promises'
import path from 'path'
import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
import { randomUUID } from 'crypto'
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is always a hardcoded constant (e.g., 'newsletter.json'), never user input
const getDataPath = (filename) => {
const cwd = process.cwd()
if (cwd.endsWith('.output')) {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
return path.join(cwd, '../server/data', filename)
}
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
return path.join(cwd, 'server/data', filename)
}
const NEWSLETTERS_FILE = getDataPath('newsletters.json')
async function readNewsletters() {
try {
const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
return JSON.parse(data)
} catch (error) {
if (error.code === 'ENOENT') {
return []
}
throw error
}
}
async function writeNewsletters(newsletters) {
await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
}
export default defineEventHandler(async (event) => {
try {
// Authentifizierung prüfen
const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
if (!token) {
throw createError({
statusCode: 401,
statusMessage: 'Nicht authentifiziert'
})
}
const user = await getUserFromToken(token)
if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
throw createError({
statusCode: 403,
statusMessage: 'Keine Berechtigung'
})
}
const body = await readBody(event)
const { title, content, type, targetGroup, sendToExternal } = body
if (!title || !type) {
throw createError({
statusCode: 400,
statusMessage: 'Titel und Typ sind erforderlich'
})
}
if (type === 'subscription' && sendToExternal === undefined) {
throw createError({
statusCode: 400,
statusMessage: 'sendToExternal ist für Abonnenten-Newsletter erforderlich'
})
}
if (type === 'group' && !targetGroup) {
throw createError({
statusCode: 400,
statusMessage: 'Zielgruppe ist für Gruppen-Newsletter erforderlich'
})
}
const newsletters = await readNewsletters()
const newNewsletter = {
id: randomUUID(),
title,
content,
type, // 'subscription' oder 'group'
targetGroup: type === 'group' ? targetGroup : null, // 'alle', 'erwachsene', 'nachwuchs', 'mannschaftsspieler', 'vorstand'
sendToExternal: type === 'subscription' ? sendToExternal : false, // true = auch extern, false = nur intern
status: 'draft', // 'draft', 'sent'
createdAt: new Date().toISOString(),
createdBy: user.id,
sentAt: null,
sentTo: null
}
newsletters.push(newNewsletter)
await writeNewsletters(newsletters)
return {
success: true,
message: 'Newsletter erfolgreich erstellt',
newsletter: {
id: newNewsletter.id,
title: newNewsletter.title,
type: newNewsletter.type
}
}
} catch (error) {
console.error('Fehler beim Erstellen des Newsletters:', error)
if (error.statusCode) {
throw error
}
throw createError({
statusCode: 500,
statusMessage: 'Fehler beim Erstellen des Newsletters'
})
}
})
Reference in New Issue View Git Blame Copy Permalink