Trek_CN/server
jubnl b109c1340a
fix: prevent ICS header injection in calendar export
Three vulnerabilities patched in the /export.ics route:

- esc() now handles bare \r and CRLF sequences — the previous regex only
  matched \n, leaving \r intact and allowing CRLF injection via \r\n
- reservation DESCRIPTION field was built from unescaped user data
  (type, confirmation_number, notes, airline, flight/train numbers,
  airports) and written raw into ICS output; now passed through esc()
- Content-Disposition filename used ICS escaping instead of HTTP header
  sanitization; replaced with a character allowlist to prevent " and
  \r\n injection into the response header
2026-04-01 07:58:18 +02:00
..
public Merge branch 'perf-test' of https://github.com/jubnl/TREK into dev 2026-03-31 23:10:02 +02:00
src fix: prevent ICS header injection in calendar export 2026-04-01 07:58:18 +02:00
.env.example fix: remove JWT_SECRET env var — server manages it exclusively 2026-04-01 07:58:05 +02:00
package-lock.json Merge branch 'pr-125' 2026-03-30 23:10:34 +02:00
package.json Merge branch 'pr-125' 2026-03-30 23:10:34 +02:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00