fix: t-005 a t-0029 correctif

server/api/backups.get.ts

@@ -3,12 +3,10 @@ import {
   shellQuote,
   resolveFolderRemoteDir,
   REMOTE_ROOT,
+  isSafeFolder,
 } from "../utils/ssh.ts"
 
-import {process} from "std-env";
-
 const MAX_FILES_PER_FOLDER = Math.max(1, Number(process.env.BACKUPS_MAX_FILES) || 50)
-const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 
 
 function isMissingPathError(error: unknown): boolean {

server/api/discord/messages.get.ts

@@ -1,6 +1,7 @@
-export default defineEventHandler(async () => {
-  const token = process.env.DISCORD_BOT_TOKEN
-  const channel = process.env.DISCORD_CHANNEL_ID
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event)
+  const token = config.discordBotToken
+  const channel = config.discordChannelId
 
   if (!token || !channel) {
     throw createError({

server/api/download-latest.get.ts

@@ -3,11 +3,10 @@ import {
   shellQuote,
   resolveFolderRemoteDir,
   REMOTE_HOST,
+  isSafeFolder
 } from "../utils/ssh.ts"
 import { spawn } from "node:child_process"
 
-const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-
 async function getLatestRemoteFile(remoteDir: string): Promise<string | null> {
   const output = await runSsh(`cd ${shellQuote(remoteDir)} && ls -1A | sort -r | head -n 1`)
   const fileName = output.trim()
@@ -45,6 +44,9 @@ export default defineEventHandler(async (event) => {
     }
 
     const fileName = await getLatestRemoteFile(remoteDir)
+    if (!fileName || !isSafeFolder(fileName)) {
+        continue
+    }
     if (!fileName) {
       continue
     }
@@ -93,6 +95,6 @@ export default defineEventHandler(async (event) => {
       console.error(`Erreur archive SSH (${code}): ${stderr}`)
     }
   })
-
+  event.node.res.on("close", () => child.kill())
   return sendStream(event, child.stdout)
 })

server/api/download.get.ts

@@ -3,13 +3,11 @@ import {
   shellQuote,
   resolveFolderRemoteDir,
   REMOTE_HOST,
+  isSafeFolder,
+  isSafeFile
 } from "../utils/ssh.ts"
 import { spawn } from "node:child_process"
 
-const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-
-
 function buildContentDisposition(fileName: string) {
   const asciiName = fileName.replace(/[^\x20-\x7E]/g, "_").replace(/["\\]/g, "_")
   return `attachment; filename="${asciiName}"; filename*=UTF-8''${encodeURIComponent(fileName)}`
@@ -61,6 +59,6 @@ export default defineEventHandler(async (event) => {
       console.error(`Erreur téléchargement SSH (${code}): ${stderr}`)
     }
   })
-
+  event.node.res.on("close", () => child.kill())
   return sendStream(event, child.stdout)
 })

server/api/upload.post.ts

@@ -1,9 +1,10 @@
 export default defineEventHandler(async (event) => {
     const req = event.node.req
-
+    const MAX_UPLOAD_BYTES = 100 * 1024 * 1024 // 100MB
     let received = 0
 
     for await (const chunk of req) {
+        if (received > MAX_UPLOAD_BYTES) throw createError({ statusCode: 413, statusMessage: "Fichier trop volumineux" })
         received += chunk.length
     }
 

server/api/version-status.get.ts

@@ -1,12 +1,18 @@
 import targets from "../config/version-status-targets.json"
 
+const REQUEST_TIMEOUT_MS = 5000
+
 export default defineEventHandler(async () => {
   const results = await Promise.all(
     targets.map(async (target) => {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS)
+
       try {
         const response = await fetch(target.url, {
           method: "GET",
-          headers: { Accept: "application/json" }
+          headers: { Accept: "application/json" },
+          signal: controller.signal
         })
 
         return {
@@ -25,6 +31,8 @@ export default defineEventHandler(async () => {
           checkedAt: new Date().toISOString(),
           error: error instanceof Error ? error.message : String(error)
         }
+      } finally {
+        clearTimeout(timeoutId)
       }
     })
   )

server/utils/ssh.ts

@@ -1,11 +1,11 @@
 import {execFile} from "node:child_process"
-import {process} from "std-env";
 import folderMap from "#server/config/backup-folders.json";
 
 export const REMOTE_HOST = process.env.BACKUPS_REMOTE_HOST
 export const REMOTE_ROOT = process.env.BACKUPS_REMOTE_ROOT || "/home/malio-b/backups"
 export const FOLDER_MAP = folderMap as Record<string, string>
-
+export const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
+export const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 
 export const shellQuote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`
 
@@ -45,7 +45,7 @@ export async function resolveFolderRemoteDir(folderName: string): Promise<string
         return direct
     }
 
-    const nested = `${REMOTE_ROOT}/bdd_recette/${folderName}`
+    const nested = `${REMOTE_ROOT}/bdd-recette/${folderName}`
     if (await remoteDirExists(nested)) {
         return nested
     }