torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca204e6ef99024489a3405d6b4b555b32bafecb9
harheimertc/server/api/newsletter/[id].delete.js
Torsten Schulz (local) c9037fec45
All checks were successful
Code Analysis (JS/Vue) / analyze (push) Successful in 3m19s
Details
Update path handling comments across multiple files to enhance security against path traversal vulnerabilities, ensuring consistent use of nosemgrep annotations for better code analysis.
2025-12-20 14:49:57 +01:00

94 lines
2.7 KiB
JavaScript
Raw Blame History

import fs from 'fs/promises'
import path from 'path'
import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
// filename is always a hardcoded constant (e.g., 'newsletter.json'), never user input
const getDataPath = (filename) => {
const cwd = process.cwd()
if (cwd.endsWith('.output')) {
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
return path.join(cwd, '../server/data', filename)
}
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
return path.join(cwd, 'server/data', filename)
}
const NEWSLETTERS_FILE = getDataPath('newsletters.json')
async function readNewsletters() {
try {
const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
return JSON.parse(data)
} catch (error) {
if (error.code === 'ENOENT') {
return []
}
throw error
}
}
async function writeNewsletters(newsletters) {
await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
}
export default defineEventHandler(async (event) => {
try {
// Authentifizierung prüfen
const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
if (!token) {
throw createError({
statusCode: 401,
statusMessage: 'Nicht authentifiziert'
})
}
const user = await getUserFromToken(token)
if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
throw createError({
statusCode: 403,
statusMessage: 'Keine Berechtigung'
})
}
const newsletterId = getRouterParam(event, 'id')
const newsletters = await readNewsletters()
const newsletterIndex = newsletters.findIndex(n => n.id === newsletterId)
if (newsletterIndex === -1) {
throw createError({
statusCode: 404,
statusMessage: 'Newsletter nicht gefunden'
})
}
// Nur Entwürfe können gelöscht werden
if (newsletters[newsletterIndex].status === 'sent') {
throw createError({
statusCode: 400,
statusMessage: 'Versendete Newsletter können nicht gelöscht werden'
})
}
newsletters.splice(newsletterIndex, 1)
await writeNewsletters(newsletters)
return {
success: true,
message: 'Newsletter erfolgreich gelöscht'
}
} catch (error) {
console.error('Fehler beim Löschen des Newsletters:', error)
if (error.statusCode) {
throw error
}
throw createError({
statusCode: 500,
statusMessage: 'Fehler beim Löschen des Newsletters'
})
}
})
Reference in New Issue View Git Blame Copy Permalink