9cf8c505af
28.1 Restarbeit (URI-Schemata):
DANGEROUS_URI_SCHEMES jetzt vollstaendig – blob:, about:, ws:, wss:,
ldap:, dict: ergaenzt. http(s):, mailto:, tel: bewusst nicht
geblockt (legitime URLs in Notizfeldern).
29.1 Cyrillic-Homoglyph:
"jаvascript:" mit U+0430 lief durch die Regex. HOMOGLYPH_TO_ASCII-
Map (а→a, е→e, о→o, …, 13 Eintraege) wird VOR dem Scheme-Strip
angewendet.
29.2 Percent-Encoding:
"java%73cript:" und "java%2573cript:" umgingen den Filter.
percentDecode() laeuft jetzt iterativ bis zu 5 Runden.
29.3 Zero-Width-Joiner:
"javascript:" mit U+200B/200C/200D etc. zerteilte die Regex-
Matches. ZERO_WIDTH_CHARS-Regex strippt alle unsichtbaren Unicode-
Steuerzeichen, bevor irgendwas anderes laeuft.
28.3 Partial (PDF-Validierung tiefer):
Magic-Bytes allein reichten nicht – "%PDF-1.4\n#!/bin/bash" kam
durch. Jetzt zusaetzlich %%EOF-Marker in den letzten 1 KB +
Pattern-Scan der ersten 4 KB auf #!/, <script, <?php, <%, "MZ "
(PE-Header).
29.4 Email-Format-Validator:
neuer isValidEmail() lehnt Whitespace/Newlines (SMTP-Header-
Injection-Vektor) und Format-Muell ab. Verdrahtet in
create/update Customer + User + updatePortalSettings.
29.5 GET /api/providers/email 500 -> 404:
parseInt("email") = NaN, Prisma crashte. Controller validiert jetzt
Number.isFinite(id) und liefert 404.
Live-verifiziert auf dev: 13 Test-Cases (alle Schema-Varianten,
Homoglyphe, Percent, ZWJ, PDF-Validierung, Email-Format,
/providers/email) – alle erwarteten Antworten.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
342 lines
13 KiB
TypeScript
342 lines
13 KiB
TypeScript
import { Request, Response } from 'express';
|
||
import prisma from '../lib/prisma.js';
|
||
import * as userService from '../services/user.service.js';
|
||
import { logChange } from '../services/audit.service.js';
|
||
import { ApiResponse } from '../types/index.js';
|
||
import { pickUserCreate, pickUserUpdate, isValidEmail } from '../utils/sanitize.js';
|
||
import { validatePasswordComplexity, STAFF_MIN_PASSWORD_LENGTH } from '../utils/passwordGenerator.js';
|
||
|
||
// Users
|
||
export async function getUsers(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const { search, isActive, roleId, page, limit } = req.query;
|
||
const result = await userService.getAllUsers({
|
||
search: search as string,
|
||
isActive: isActive !== undefined ? isActive === 'true' : undefined,
|
||
roleId: roleId ? parseInt(roleId as string) : undefined,
|
||
page: page ? parseInt(page as string) : undefined,
|
||
limit: limit ? parseInt(limit as string) : undefined,
|
||
});
|
||
res.json({
|
||
success: true,
|
||
data: result.users,
|
||
pagination: result.pagination,
|
||
} as ApiResponse);
|
||
} catch (error) {
|
||
res.status(500).json({
|
||
success: false,
|
||
error: 'Fehler beim Laden der Benutzer',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function getUser(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const user = await userService.getUserById(parseInt(req.params.id));
|
||
if (!user) {
|
||
res.status(404).json({
|
||
success: false,
|
||
error: 'Benutzer nicht gefunden',
|
||
} as ApiResponse);
|
||
return;
|
||
}
|
||
res.json({ success: true, data: user } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(500).json({
|
||
success: false,
|
||
error: 'Fehler beim Laden des Benutzers',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function createUser(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
// Whitelist: nur erlaubte Felder aus req.body übernehmen (Mass-Assignment-Schutz)
|
||
const data = pickUserCreate(req.body) as any;
|
||
// Email-Format prüfen, sonst landet "x@y\nBcc:..." in der DB
|
||
// (Pentest 29.4 – SMTP-Header-Injection).
|
||
if (!isValidEmail(data?.email) || !data?.email) {
|
||
res.status(400).json({ success: false, error: 'Ungültiges E-Mail-Format' } as ApiResponse);
|
||
return;
|
||
}
|
||
if (data?.password) {
|
||
const c = validatePasswordComplexity(data.password, { minLength: STAFF_MIN_PASSWORD_LENGTH });
|
||
if (!c.ok) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: 'Passwort erfüllt Mindestanforderungen nicht: ' + c.errors.join(', '),
|
||
} as ApiResponse);
|
||
return;
|
||
}
|
||
}
|
||
const user = await userService.createUser(data);
|
||
await logChange({
|
||
req, action: 'CREATE', resourceType: 'User',
|
||
resourceId: user.id.toString(),
|
||
label: `Benutzer ${user.firstName} ${user.lastName} angelegt`,
|
||
});
|
||
res.status(201).json({ success: true, data: user } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Erstellen des Benutzers',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function updateUser(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const userId = parseInt(req.params.id);
|
||
// `permissions` und `password` darf der generische Update nicht
|
||
// entgegennehmen. Vorher landeten sie auf dem Floor (Whitelist-Drop),
|
||
// der Caller bekam aber 200 zurück und glaubte fälschlich, die Werte
|
||
// wären übernommen worden. Stattdessen sofort 400, damit Tooling /
|
||
// Client den Fehler sieht. (Pentest 2026-05-20)
|
||
// - permissions kommen aus Rollen (PUT roleIds bzw. die DSGVO-/
|
||
// Developer-Checkboxen) und können nicht direkt am User hängen.
|
||
// - password wird über POST /users/:id/password gesetzt
|
||
// (eigene Komplexitäts-Validierung + Audit-Trail).
|
||
const body = req.body || {};
|
||
const forbidden = ['permissions', 'password', 'passwordHash'];
|
||
const offending = forbidden.filter((k) => k in body);
|
||
if (offending.length > 0) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: `Felder nicht erlaubt: ${offending.join(', ')}. ` +
|
||
(offending.includes('permissions')
|
||
? 'Permissions werden über roleIds / hasGdprAccess / hasDeveloperAccess gesteuert. '
|
||
: '') +
|
||
(offending.includes('password') || offending.includes('passwordHash')
|
||
? `Passwort über POST /users/${userId}/password setzen.`
|
||
: ''),
|
||
} as ApiResponse);
|
||
return;
|
||
}
|
||
// Whitelist: nur erlaubte Felder aus req.body übernehmen (Mass-Assignment-Schutz)
|
||
const data = pickUserUpdate(req.body);
|
||
// Email-Validierung gegen SMTP-Header-Injection (Pentest 29.4).
|
||
// null/leer ist OK (Email darf optional sein), nur falsches Format prüfen.
|
||
if (data?.email !== undefined && !isValidEmail(data.email)) {
|
||
res.status(400).json({ success: false, error: 'Ungültiges E-Mail-Format' } as ApiResponse);
|
||
return;
|
||
}
|
||
|
||
// Vorherigen Stand laden für Audit – inkl. Rollen, damit hasGdprAccess /
|
||
// hasDeveloperAccess (versteckte Rollen) korrekt verglichen werden.
|
||
const beforeUser = await prisma.user.findUnique({
|
||
where: { id: userId },
|
||
include: { roles: { include: { role: true } } },
|
||
});
|
||
const before = beforeUser
|
||
? {
|
||
...beforeUser,
|
||
hasGdprAccess: beforeUser.roles.some((ur) => ur.role.name === 'DSGVO'),
|
||
hasDeveloperAccess: beforeUser.roles.some((ur) => ur.role.name === 'Developer'),
|
||
}
|
||
: null;
|
||
|
||
const user = await userService.updateUser(userId, data as any);
|
||
if (user) {
|
||
// Audit: Geänderte Felder ermitteln und loggen
|
||
if (before) {
|
||
const changes: Record<string, { von: unknown; nach: unknown }> = {};
|
||
const fieldLabels: Record<string, string> = {
|
||
email: 'E-Mail', firstName: 'Vorname', lastName: 'Nachname', isActive: 'Aktiv',
|
||
hasGdprAccess: 'DSGVO-Zugriff', hasDeveloperAccess: 'Entwicklerzugriff',
|
||
};
|
||
for (const [key, newVal] of Object.entries(data)) {
|
||
if (['id', 'createdAt', 'updatedAt'].includes(key)) continue;
|
||
const oldVal = (before as any)[key];
|
||
const norm = (v: unknown) => (v === null || v === undefined || v === '' ? null : v);
|
||
if (JSON.stringify(norm(oldVal)) !== JSON.stringify(norm(newVal))) {
|
||
const label = fieldLabels[key] || key;
|
||
const formatVal = (v: unknown) => {
|
||
if (v === null || v === undefined || v === '') return '-';
|
||
if (typeof v === 'boolean') return v ? 'Ja' : 'Nein';
|
||
return String(v);
|
||
};
|
||
changes[label] = { von: formatVal(oldVal), nach: formatVal(newVal) };
|
||
}
|
||
}
|
||
const changeList = Object.entries(changes).map(([f, c]) => `${f}: ${c.von} → ${c.nach}`).join(', ');
|
||
await logChange({
|
||
req, action: 'UPDATE', resourceType: 'User',
|
||
resourceId: user.id.toString(),
|
||
label: changeList ? `Benutzer ${user.firstName} ${user.lastName} aktualisiert: ${changeList}` : `Benutzer ${user.firstName} ${user.lastName} aktualisiert`,
|
||
details: Object.keys(changes).length > 0 ? changes : undefined,
|
||
});
|
||
} else {
|
||
await logChange({
|
||
req, action: 'UPDATE', resourceType: 'User',
|
||
resourceId: user.id.toString(),
|
||
label: `Benutzer ${user.firstName} ${user.lastName} aktualisiert`,
|
||
});
|
||
}
|
||
}
|
||
res.json({ success: true, data: user } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Aktualisieren des Benutzers',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
// Admin setzt das Passwort eines anderen Users zurück. Separat vom
|
||
// generischen Update damit der Vorgang explizit auditiert wird und nicht
|
||
// versehentlich über Mass-Assignment passieren kann.
|
||
// Pentest Runde 12 (2026-05-18) MITTEL.
|
||
export async function setUserPassword(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const userId = parseInt(req.params.id);
|
||
const { password } = req.body || {};
|
||
if (!password || typeof password !== 'string') {
|
||
res.status(400).json({ success: false, error: 'Passwort erforderlich' } as ApiResponse);
|
||
return;
|
||
}
|
||
const c = validatePasswordComplexity(password, { minLength: STAFF_MIN_PASSWORD_LENGTH });
|
||
if (!c.ok) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: 'Passwort erfüllt Mindestanforderungen nicht: ' + c.errors.join(', '),
|
||
} as ApiResponse);
|
||
return;
|
||
}
|
||
const user = await userService.updateUser(userId, { password } as any);
|
||
if (!user) {
|
||
res.status(404).json({ success: false, error: 'Benutzer nicht gefunden' } as ApiResponse);
|
||
return;
|
||
}
|
||
await logChange({
|
||
req, action: 'UPDATE', resourceType: 'User',
|
||
resourceId: user.id.toString(),
|
||
label: `Passwort für Benutzer ${user.firstName} ${user.lastName} (${user.email}) durch Admin gesetzt`,
|
||
});
|
||
res.json({ success: true, message: 'Passwort gesetzt' } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Setzen des Passworts',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function deleteUser(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const userId = parseInt(req.params.id);
|
||
const userBefore = await userService.getUserById(userId);
|
||
await userService.deleteUser(userId);
|
||
await logChange({
|
||
req, action: 'DELETE', resourceType: 'User',
|
||
resourceId: userId.toString(),
|
||
label: `Benutzer ${userBefore?.firstName || ''} ${userBefore?.lastName || ''} gelöscht`,
|
||
});
|
||
res.json({ success: true, message: 'Benutzer gelöscht' } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Löschen des Benutzers',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
// Roles
|
||
export async function getRoles(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const roles = await userService.getAllRoles();
|
||
res.json({ success: true, data: roles } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(500).json({
|
||
success: false,
|
||
error: 'Fehler beim Laden der Rollen',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function getRole(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const role = await userService.getRoleById(parseInt(req.params.id));
|
||
if (!role) {
|
||
res.status(404).json({
|
||
success: false,
|
||
error: 'Rolle nicht gefunden',
|
||
} as ApiResponse);
|
||
return;
|
||
}
|
||
res.json({ success: true, data: role } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(500).json({
|
||
success: false,
|
||
error: 'Fehler beim Laden der Rolle',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function createRole(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const role = await userService.createRole(req.body);
|
||
await logChange({
|
||
req, action: 'CREATE', resourceType: 'Role',
|
||
resourceId: role.id.toString(),
|
||
label: `Rolle ${role.name} angelegt`,
|
||
});
|
||
res.status(201).json({ success: true, data: role } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Erstellen der Rolle',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function updateRole(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const role = await userService.updateRole(parseInt(req.params.id), req.body);
|
||
if (role) {
|
||
await logChange({
|
||
req, action: 'UPDATE', resourceType: 'Role',
|
||
resourceId: role.id.toString(),
|
||
label: `Rolle ${role.name} aktualisiert`,
|
||
});
|
||
}
|
||
res.json({ success: true, data: role } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Aktualisieren der Rolle',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
export async function deleteRole(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const roleId = parseInt(req.params.id);
|
||
const role = await userService.getRoleById(roleId);
|
||
await userService.deleteRole(roleId);
|
||
await logChange({
|
||
req, action: 'DELETE', resourceType: 'Role',
|
||
resourceId: roleId.toString(),
|
||
label: `Rolle ${role?.name || roleId} gelöscht`,
|
||
});
|
||
res.json({ success: true, message: 'Rolle gelöscht' } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(400).json({
|
||
success: false,
|
||
error: error instanceof Error ? error.message : 'Fehler beim Löschen der Rolle',
|
||
} as ApiResponse);
|
||
}
|
||
}
|
||
|
||
// Permissions
|
||
export async function getPermissions(req: Request, res: Response): Promise<void> {
|
||
try {
|
||
const permissions = await userService.getAllPermissions();
|
||
res.json({ success: true, data: permissions } as ApiResponse);
|
||
} catch (error) {
|
||
res.status(500).json({
|
||
success: false,
|
||
error: 'Fehler beim Laden der Berechtigungen',
|
||
} as ApiResponse);
|
||
}
|
||
}
|