perf: add database indexes, implement caching, enforce permission guards, and sanitize external URLs

2026-05-10 22:01:06 +02:00
parent 351938aa5c
commit aa4c181b0c
14 changed files with 94 additions and 40 deletions
@@ -6,6 +6,15 @@ import { LabelPrintJob } from '../database/entities/label-print-job.entity';
 import { BarcodeTemplate } from '../database/entities/barcode-template.entity';
 import { LabelRendererService } from './label-renderer.service';

+function isSafeUrl(url: string): boolean {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === 'http:' || parsed.protocol === 'https:';
+  } catch {
+    return false;
+  }
+}
+
 function applyVars(template: string, vars: Record<string, string>): string {
  return template.replace(/\{([^}]+)\}/g, (_, key: string) => {
    const colonIdx = key.indexOf(':');
@@ -71,12 +80,16 @@ export class LabelPrintAgentService {
    // GET-URL aufrufen → {number}
    if (template.LabelGetUrl) {
      const url = applyVars(template.LabelGetUrl, vars);
-      try {
-        const res = await fetch(url);
-        const text = (await res.text()).trim();
-        vars['number'] = text;
-      } catch (err: any) {
-        this.logger.warn(`GET-URL fehlgeschlagen (${url}): ${err.message}`);
+      if (isSafeUrl(url)) {
+        try {
+          const res = await fetch(url);
+          const text = (await res.text()).trim();
+          vars['number'] = text;
+        } catch (err: any) {
+          this.logger.warn(`GET-URL fehlgeschlagen (${url}): ${err.message}`);
+        }
+      } else {
+        this.logger.warn(`GET-URL übersprungen (ungültiges Protokoll): ${url}`);
      }
    }

@@ -201,6 +214,10 @@ export class LabelPrintAgentService {
    if (!urlTemplate) return;

    const url = applyVars(urlTemplate, job.LabelVariables ?? {});
+    if (!isSafeUrl(url)) {
+      this.logger.warn(`${type}-URL übersprungen (ungültiges Protokoll): ${url}`);
+      return;
+    }
    try {
      await fetch(url, { method: 'POST' });
    } catch (err: any) {