Security-Hardening Runde 2: Zip-Slip, Mass Assignment, weitere IDORs, Path-Traversal
Nach der ersten Runde habe ich parallel 3 Audit-Agents auf die Codebase angesetzt. Die fanden noch eine Menge: Zip-Slip, Mass Assignment inkl. Privilege Escalation, 13 weitere IDOR-Stellen, 2x Path-Traversal. Alles gefixt. Details + Angriffsvektoren in docs/SECURITY-REVIEW.md. 🔴 KRITISCH gefixt: 1. Zip-Slip im Backup-Upload: extractAllTo() entpackte bösartige ZIPs ohne Pfad-Validierung. Ein Angreifer mit Admin-Zugang hätte mit einem ZIP mit Entries wie ../../etc/crontab das ganze Filesystem überschreiben können. Jetzt wird jeder ZIP-Entry einzeln validiert (path.resolve, starts-with-Check). Absolute Pfade + Null-Bytes werden abgelehnt. 2. Mass Assignment bei Customer/User Controllers: - updateCustomer/createCustomer: req.body ging komplett an Prisma. Angreifer konnte portalPasswordHash, portalPasswordResetToken, consentHash, customerNumber direkt setzen. - updateUser/createUser: roleIds und isActive waren übernehmbar. **Privilege Escalation**: normaler Mitarbeiter konnte sich Admin-Rechte durch PUT /users/:id mit {"roleIds":[1]} geben, oder andere User deaktivieren. Fix: Neue Whitelist-Helper pickCustomerCreate/Update, pickUserCreate/Update in utils/sanitize.ts. Nur erlaubte Felder werden durchgelassen. 3. IDOR bei 13 weiteren Endpoints (neben denen aus Runde 1): - GET /meters/:meterId/readings - GET /emails/:emailId/attachments/:filename - GET /emails/:emailId/attachments (Liste) - GET /customers/:customerId/emails - GET /contracts/:contractId/emails - GET /emails/:id (einzelne Email) - GET /stressfrei-emails/:id (leakte emailPasswordEncrypted) - weitere… Fix: accessControl.ts ausgebaut um canAccessAddress, canAccessBankCard, canAccessIdentityDocument, canAccessMeter, canAccessStressfreiEmail, canAccessCachedEmail. In allen betroffenen Endpoints angewendet. 🟡 WICHTIG gefixt: 4. Path-Traversal bei Backup-Name (GET /settings/backup/:name/*): req.params.name wurde ohne Filter in path.join. Neuer isValidBackupName() erlaubt nur [A-Za-z0-9_-]+ ohne "..". 5. Path-Traversal bei GDPR-Proof-Download: proofDocument-Pfad aus DB wurde ohne Validation gejoined. Jetzt path.resolve + starts-with-uploads-Check. Neue/erweiterte Files: - backend/src/utils/accessControl.ts - 6 neue can-Access-Helper - backend/src/utils/sanitize.ts - 4 neue Whitelist-pick-Helper - docs/SECURITY-REVIEW.md - Runde 2 dokumentiert Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,5 +1,14 @@
|
||||
import { Request, Response } from 'express';
|
||||
import * as backupService from '../services/backup.service.js';
|
||||
|
||||
/**
|
||||
* Validiert Backup-Namen: nur Zeichen die auch der Backup-Generator erstellen darf
|
||||
* (ISO-Zeitstempel mit Buchstaben, Zahlen, Bindestrich, optional -N Suffix).
|
||||
* Blockt Path-Traversal-Versuche wie "../../etc/passwd".
|
||||
*/
|
||||
function isValidBackupName(name: string): boolean {
|
||||
return /^[A-Za-z0-9_-]+$/.test(name) && !name.includes('..');
|
||||
}
|
||||
import { logChange } from '../services/audit.service.js';
|
||||
|
||||
/**
|
||||
@@ -45,8 +54,8 @@ export async function restoreBackup(req: Request, res: Response) {
|
||||
try {
|
||||
const { name } = req.params;
|
||||
|
||||
if (!name) {
|
||||
return res.status(400).json({ error: 'Backup-Name erforderlich' });
|
||||
if (!name || !isValidBackupName(name)) {
|
||||
return res.status(400).json({ error: 'Ungültiger Backup-Name' });
|
||||
}
|
||||
|
||||
const result = await backupService.restoreBackup(name);
|
||||
@@ -79,8 +88,8 @@ export async function deleteBackup(req: Request, res: Response) {
|
||||
try {
|
||||
const { name } = req.params;
|
||||
|
||||
if (!name) {
|
||||
return res.status(400).json({ error: 'Backup-Name erforderlich' });
|
||||
if (!name || !isValidBackupName(name)) {
|
||||
return res.status(400).json({ error: 'Ungültiger Backup-Name' });
|
||||
}
|
||||
|
||||
const result = await backupService.deleteBackup(name);
|
||||
@@ -107,8 +116,8 @@ export async function downloadBackup(req: Request, res: Response) {
|
||||
try {
|
||||
const { name } = req.params;
|
||||
|
||||
if (!name) {
|
||||
return res.status(400).json({ error: 'Backup-Name erforderlich' });
|
||||
if (!name || !isValidBackupName(name)) {
|
||||
return res.status(400).json({ error: 'Ungültiger Backup-Name' });
|
||||
}
|
||||
|
||||
const result = await backupService.createBackupZip(name);
|
||||
|
||||
@@ -15,13 +15,20 @@ import { DocumentType } from '@prisma/client';
|
||||
import prisma from '../lib/prisma.js';
|
||||
import path from 'path';
|
||||
import fs from 'fs';
|
||||
import { AuthRequest } from '../types/index.js';
|
||||
import {
|
||||
canAccessCustomer,
|
||||
canAccessContract,
|
||||
canAccessCachedEmail,
|
||||
} from '../utils/accessControl.js';
|
||||
|
||||
// ==================== E-MAIL LIST ====================
|
||||
|
||||
// E-Mails für einen Kunden abrufen
|
||||
export async function getEmailsForCustomer(req: Request, res: Response): Promise<void> {
|
||||
export async function getEmailsForCustomer(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const customerId = parseInt(req.params.customerId);
|
||||
if (!(await canAccessCustomer(req, res, customerId))) return;
|
||||
const stressfreiEmailId = req.query.accountId ? parseInt(req.query.accountId as string) : undefined;
|
||||
const folder = req.query.folder as string | undefined; // INBOX oder SENT
|
||||
const limit = req.query.limit ? parseInt(req.query.limit as string) : 50;
|
||||
@@ -47,9 +54,10 @@ export async function getEmailsForCustomer(req: Request, res: Response): Promise
|
||||
}
|
||||
|
||||
// E-Mails für einen Vertrag abrufen
|
||||
export async function getEmailsForContract(req: Request, res: Response): Promise<void> {
|
||||
export async function getEmailsForContract(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const contractId = parseInt(req.params.contractId);
|
||||
if (!(await canAccessContract(req, res, contractId))) return;
|
||||
const folder = req.query.folder as string | undefined; // INBOX oder SENT
|
||||
const limit = req.query.limit ? parseInt(req.query.limit as string) : 50;
|
||||
const offset = req.query.offset ? parseInt(req.query.offset as string) : 0;
|
||||
@@ -75,9 +83,11 @@ export async function getEmailsForContract(req: Request, res: Response): Promise
|
||||
// ==================== SINGLE EMAIL ====================
|
||||
|
||||
// Einzelne E-Mail abrufen (mit Body)
|
||||
export async function getEmail(req: Request, res: Response): Promise<void> {
|
||||
export async function getEmail(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const id = parseInt(req.params.id);
|
||||
if (!(await canAccessCachedEmail(req, res, id))) return;
|
||||
|
||||
const email = await cachedEmailService.getCachedEmailById(id);
|
||||
|
||||
if (!email) {
|
||||
@@ -396,9 +406,10 @@ export async function sendEmailFromAccount(req: Request, res: Response): Promise
|
||||
// ==================== ATTACHMENTS ====================
|
||||
|
||||
// Anhang-Liste einer E-Mail abrufen
|
||||
export async function getAttachments(req: Request, res: Response): Promise<void> {
|
||||
export async function getAttachments(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const emailId = parseInt(req.params.emailId);
|
||||
if (!(await canAccessCachedEmail(req, res, emailId))) return;
|
||||
|
||||
// E-Mail aus Cache laden
|
||||
const email = await cachedEmailService.getCachedEmailById(emailId);
|
||||
@@ -429,11 +440,14 @@ export async function getAttachments(req: Request, res: Response): Promise<void>
|
||||
}
|
||||
|
||||
// Einzelnen Anhang herunterladen
|
||||
export async function downloadAttachment(req: Request, res: Response): Promise<void> {
|
||||
export async function downloadAttachment(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const emailId = parseInt(req.params.emailId);
|
||||
const filename = decodeURIComponent(req.params.filename);
|
||||
|
||||
// Portal-Isolation: nur eigene/vertretene Emails
|
||||
if (!(await canAccessCachedEmail(req, res, emailId))) return;
|
||||
|
||||
// E-Mail aus Cache laden
|
||||
const email = await cachedEmailService.getCachedEmailById(emailId);
|
||||
if (!email) {
|
||||
|
||||
@@ -4,7 +4,19 @@ import * as customerService from '../services/customer.service.js';
|
||||
import * as authService from '../services/auth.service.js';
|
||||
import { logChange } from '../services/audit.service.js';
|
||||
import { ApiResponse, AuthRequest } from '../types/index.js';
|
||||
import { sanitizeCustomer, sanitizeCustomers, sanitizeCustomerStrict } from '../utils/sanitize.js';
|
||||
import {
|
||||
sanitizeCustomer,
|
||||
sanitizeCustomers,
|
||||
sanitizeCustomerStrict,
|
||||
pickCustomerCreate,
|
||||
pickCustomerUpdate,
|
||||
} from '../utils/sanitize.js';
|
||||
import {
|
||||
canAccessMeter,
|
||||
canAccessAddress,
|
||||
canAccessBankCard,
|
||||
canAccessIdentityDocument,
|
||||
} from '../utils/accessControl.js';
|
||||
|
||||
// Customer CRUD
|
||||
export async function getCustomers(req: AuthRequest, res: Response): Promise<void> {
|
||||
@@ -50,7 +62,8 @@ export async function getCustomer(req: AuthRequest, res: Response): Promise<void
|
||||
|
||||
export async function createCustomer(req: Request, res: Response): Promise<void> {
|
||||
try {
|
||||
const data = { ...req.body };
|
||||
// Whitelist: nur erlaubte Felder aus req.body übernehmen
|
||||
const data: any = pickCustomerCreate(req.body);
|
||||
// Convert birthDate string to Date if present
|
||||
if (data.birthDate) {
|
||||
data.birthDate = new Date(data.birthDate);
|
||||
@@ -74,7 +87,8 @@ export async function createCustomer(req: Request, res: Response): Promise<void>
|
||||
export async function updateCustomer(req: Request, res: Response): Promise<void> {
|
||||
try {
|
||||
const customerId = parseInt(req.params.id);
|
||||
const data = { ...req.body };
|
||||
// Whitelist: nur erlaubte Felder aus req.body übernehmen (Mass-Assignment-Schutz)
|
||||
const data: any = pickCustomerUpdate(req.body);
|
||||
|
||||
// Vorherigen Stand laden für Audit
|
||||
const before = await prisma.customer.findUnique({ where: { id: customerId } });
|
||||
@@ -622,9 +636,11 @@ export async function deleteMeter(req: Request, res: Response): Promise<void> {
|
||||
}
|
||||
|
||||
// Meter Readings
|
||||
export async function getMeterReadings(req: Request, res: Response): Promise<void> {
|
||||
export async function getMeterReadings(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const readings = await customerService.getMeterReadings(parseInt(req.params.meterId));
|
||||
const meterId = parseInt(req.params.meterId);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
const readings = await customerService.getMeterReadings(meterId);
|
||||
res.json({ success: true, data: readings } as ApiResponse);
|
||||
} catch (error) {
|
||||
res.status(500).json({ success: false, error: 'Fehler beim Laden der Zählerstände' } as ApiResponse);
|
||||
|
||||
@@ -190,7 +190,12 @@ export async function getDeletionProof(req: AuthRequest, res: Response) {
|
||||
return res.status(404).json({ success: false, error: 'Kein Löschnachweis vorhanden' });
|
||||
}
|
||||
|
||||
const filepath = path.join(process.cwd(), 'uploads', request.proofDocument);
|
||||
// Path-Traversal-Schutz: proofDocument aus der DB darf nur unter uploads/ liegen
|
||||
const uploadsDir = path.resolve(process.cwd(), 'uploads');
|
||||
const filepath = path.resolve(uploadsDir, request.proofDocument);
|
||||
if (!filepath.startsWith(uploadsDir + path.sep)) {
|
||||
return res.status(400).json({ success: false, error: 'Ungültiger Dateipfad' });
|
||||
}
|
||||
|
||||
if (!fs.existsSync(filepath)) {
|
||||
return res.status(404).json({ success: false, error: 'Datei nicht gefunden' });
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
import { Request, Response } from 'express';
|
||||
import * as stressfreiEmailService from '../services/stressfreiEmail.service.js';
|
||||
import { logChange } from '../services/audit.service.js';
|
||||
import { ApiResponse } from '../types/index.js';
|
||||
import { ApiResponse, AuthRequest } from '../types/index.js';
|
||||
import { canAccessStressfreiEmail } from '../utils/accessControl.js';
|
||||
|
||||
export async function getEmailsByCustomer(req: Request, res: Response): Promise<void> {
|
||||
try {
|
||||
@@ -17,9 +18,12 @@ export async function getEmailsByCustomer(req: Request, res: Response): Promise<
|
||||
}
|
||||
}
|
||||
|
||||
export async function getEmail(req: Request, res: Response): Promise<void> {
|
||||
export async function getEmail(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const email = await stressfreiEmailService.getEmailById(parseInt(req.params.id));
|
||||
const emailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
|
||||
|
||||
const email = await stressfreiEmailService.getEmailById(emailId);
|
||||
if (!email) {
|
||||
res.status(404).json({
|
||||
success: false,
|
||||
@@ -27,7 +31,13 @@ export async function getEmail(req: Request, res: Response): Promise<void> {
|
||||
} as ApiResponse);
|
||||
return;
|
||||
}
|
||||
res.json({ success: true, data: email } as ApiResponse);
|
||||
|
||||
// Sensibles Feld emailPasswordEncrypted nie an Portal-Kunden geben
|
||||
const sanitized: any = { ...email };
|
||||
if (req.user?.isCustomerPortal) {
|
||||
delete sanitized.emailPasswordEncrypted;
|
||||
}
|
||||
res.json({ success: true, data: sanitized } as ApiResponse);
|
||||
} catch (error) {
|
||||
res.status(500).json({
|
||||
success: false,
|
||||
|
||||
@@ -3,6 +3,7 @@ import prisma from '../lib/prisma.js';
|
||||
import * as userService from '../services/user.service.js';
|
||||
import { logChange } from '../services/audit.service.js';
|
||||
import { ApiResponse } from '../types/index.js';
|
||||
import { pickUserCreate, pickUserUpdate } from '../utils/sanitize.js';
|
||||
|
||||
// Users
|
||||
export async function getUsers(req: Request, res: Response): Promise<void> {
|
||||
@@ -49,7 +50,8 @@ export async function getUser(req: Request, res: Response): Promise<void> {
|
||||
|
||||
export async function createUser(req: Request, res: Response): Promise<void> {
|
||||
try {
|
||||
const user = await userService.createUser(req.body);
|
||||
// Whitelist: nur erlaubte Felder aus req.body übernehmen (Mass-Assignment-Schutz)
|
||||
const user = await userService.createUser(pickUserCreate(req.body) as any);
|
||||
await logChange({
|
||||
req, action: 'CREATE', resourceType: 'User',
|
||||
resourceId: user.id.toString(),
|
||||
@@ -67,12 +69,13 @@ export async function createUser(req: Request, res: Response): Promise<void> {
|
||||
export async function updateUser(req: Request, res: Response): Promise<void> {
|
||||
try {
|
||||
const userId = parseInt(req.params.id);
|
||||
const data = req.body;
|
||||
// Whitelist: nur erlaubte Felder aus req.body übernehmen (Mass-Assignment-Schutz)
|
||||
const data = pickUserUpdate(req.body);
|
||||
|
||||
// Vorherigen Stand laden für Audit
|
||||
const before = await prisma.user.findUnique({ where: { id: userId } });
|
||||
|
||||
const user = await userService.updateUser(userId, data);
|
||||
const user = await userService.updateUser(userId, data as any);
|
||||
if (user) {
|
||||
// Audit: Geänderte Felder ermitteln und loggen
|
||||
if (before) {
|
||||
|
||||
Reference in New Issue
Block a user