fix : securite regex et message erreur et endpoint

2026-03-12 08:58:58 +01:00
parent 47bc8ba966
commit b3fc6f77b1
12 changed files with 198 additions and 24 deletions
--- a/server/api/backup-script.post.ts
+++ b/server/api/backup-script.post.ts
@@ -50,9 +50,11 @@ export default defineEventHandler(async (event) => {
      output: output.trim()
    }
  } catch (error) {
+    console.error("Erreur execution script:", error)
+
    throw createError({
      statusCode: 500,
-      statusMessage: `Erreur execution script: ${String(error)}`
+      statusMessage: "Erreur lors de l'opération"
    })
  }
 })
--- a/server/api/backups.get.ts
+++ b/server/api/backups.get.ts
@@ -31,9 +31,11 @@ function isMissingPathError(error: unknown): boolean {
 }

 function toServerError(error: unknown) {
+  console.error("Erreur backups:", error)
+
  return createError({
    statusCode: 500,
-    statusMessage: `Erreur SSH backups: ${String(error)}`
+    statusMessage: "Erreur lors de l'opération"
  })
 }

--- a/server/api/discord/messages.get.ts
+++ b/server/api/discord/messages.get.ts
@@ -1,15 +1,31 @@
 export default defineEventHandler(async () => {
-    const token = process.env.DISCORD_BOT_TOKEN
-    const channel = process.env.DISCORD_CHANNEL_ID
+  const token = process.env.DISCORD_BOT_TOKEN
+  const channel = process.env.DISCORD_CHANNEL_ID

+  if (!token || !channel) {
+    throw createError({
+      statusCode: 503,
+      statusMessage: "Service indisponible"
+    })
+  }
+
+  try {
    const messages = await $fetch(
-        `https://discord.com/api/v10/channels/${channel}/messages?limit=20`,
-        {
-            headers: {
-                Authorization: `Bot ${token}`
-            }
+      `https://discord.com/api/v10/channels/${channel}/messages?limit=20`,
+      {
+        headers: {
+          Authorization: `Bot ${token}`
        }
+      }
    )

    return messages
-})
+  } catch (error) {
+    console.error("Erreur Discord messages:", error)
+
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Erreur lors de l'opération"
+    })
+  }
+})
--- a/server/api/disk.get.ts
+++ b/server/api/disk.get.ts
@@ -40,11 +40,12 @@ export default defineEventHandler(async () => {
          output
        }
      } catch (error) {
+        console.error(`Erreur disk source ${source.key}:`, error)
        return {
          key: source.key,
          label: source.label,
          ok: false,
-          output: `Erreur: ${String(error)}`
+          output: "Erreur lors de l'opération"
        }
      }
    })
--- a/server/api/download.get.ts
+++ b/server/api/download.get.ts
@@ -7,7 +7,7 @@ const REMOTE_ROOT = process.env.BACKUPS_REMOTE_ROOT || "/home/malio-b/backups"
 const FOLDER_MAP = folderMap as Record<string, string>

 const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-const isSafeFile = (value: string) => /^[^/\\]+$/.test(value)
+const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 const shellQuote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`

 function runSsh(command: string): Promise<string> {