Initial commit

2025-12-28 21:36:45 +00:00
Commit ab1e5be9a9
--- a/backend/middleware/validation.js
+++ b/backend/middleware/validation.js
@ -0,0 +1,249 @@
+/**
+ * TASKMATE - Input Validierung
+ * ============================
+ * Schutz vor SQL-Injection und XSS
+ */
+
+const sanitizeHtml = require('sanitize-html');
+
+/**
+ * HTML-Tags entfernen (für reine Text-Felder)
+ */
+function stripHtml(input) {
+  if (typeof input !== 'string') return input;
+  return sanitizeHtml(input, {
+    allowedTags: [],
+    allowedAttributes: {}
+  }).trim();
+}
+
+/**
+ * Markdown-sichere Bereinigung (erlaubt bestimmte Tags)
+ */
+function sanitizeMarkdown(input) {
+  if (typeof input !== 'string') return input;
+  return sanitizeHtml(input, {
+    allowedTags: [
+      'p', 'br', 'strong', 'em', 'u', 's', 'code', 'pre',
+      'ul', 'ol', 'li', 'blockquote', 'a', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6'
+    ],
+    allowedAttributes: {
+      'a': ['href', 'title', 'target', 'rel']
+    },
+    allowedSchemes: ['http', 'https', 'mailto'],
+    transformTags: {
+      'a': (tagName, attribs) => {
+        return {
+          tagName: 'a',
+          attribs: {
+            ...attribs,
+            target: '_blank',
+            rel: 'noopener noreferrer'
+          }
+        };
+      }
+    }
+  });
+}
+
+/**
+ * Objekt rekursiv bereinigen
+ */
+function sanitizeObject(obj, options = {}) {
+  if (obj === null || obj === undefined) return obj;
+
+  if (typeof obj === 'string') {
+    return options.allowHtml ? sanitizeMarkdown(obj) : stripHtml(obj);
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map(item => sanitizeObject(item, options));
+  }
+
+  if (typeof obj === 'object') {
+    const sanitized = {};
+    for (const [key, value] of Object.entries(obj)) {
+      // Bestimmte Felder dürfen Markdown enthalten
+      const allowHtml = ['description', 'content'].includes(key);
+      sanitized[key] = sanitizeObject(value, { allowHtml });
+    }
+    return sanitized;
+  }
+
+  return obj;
+}
+
+/**
+ * Validierungsfunktionen
+ */
+const validators = {
+  /**
+   * Pflichtfeld prüfen
+   */
+  required: (value, fieldName) => {
+    if (value === undefined || value === null || value === '') {
+      return `${fieldName} ist erforderlich`;
+    }
+    return null;
+  },
+
+  /**
+   * Minimale Länge prüfen
+   */
+  minLength: (value, min, fieldName) => {
+    if (typeof value === 'string' && value.length < min) {
+      return `${fieldName} muss mindestens ${min} Zeichen haben`;
+    }
+    return null;
+  },
+
+  /**
+   * Maximale Länge prüfen
+   */
+  maxLength: (value, max, fieldName) => {
+    if (typeof value === 'string' && value.length > max) {
+      return `${fieldName} darf maximal ${max} Zeichen haben`;
+    }
+    return null;
+  },
+
+  /**
+   * E-Mail-Format prüfen
+   */
+  email: (value, fieldName) => {
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (value && !emailRegex.test(value)) {
+      return `${fieldName} muss eine gültige E-Mail-Adresse sein`;
+    }
+    return null;
+  },
+
+  /**
+   * URL-Format prüfen
+   */
+  url: (value, fieldName) => {
+    try {
+      if (value) {
+        new URL(value);
+      }
+      return null;
+    } catch {
+      return `${fieldName} muss eine gültige URL sein`;
+    }
+  },
+
+  /**
+   * Integer prüfen
+   */
+  integer: (value, fieldName) => {
+    if (value !== undefined && value !== null && !Number.isInteger(Number(value))) {
+      return `${fieldName} muss eine ganze Zahl sein`;
+    }
+    return null;
+  },
+
+  /**
+   * Positiver Integer prüfen
+   */
+  positiveInteger: (value, fieldName) => {
+    const num = Number(value);
+    if (value !== undefined && value !== null && (!Number.isInteger(num) || num < 0)) {
+      return `${fieldName} muss eine positive ganze Zahl sein`;
+    }
+    return null;
+  },
+
+  /**
+   * Datum prüfen (YYYY-MM-DD)
+   */
+  date: (value, fieldName) => {
+    if (value) {
+      const dateRegex = /^\d{4}-\d{2}-\d{2}$/;
+      if (!dateRegex.test(value)) {
+        return `${fieldName} muss im Format YYYY-MM-DD sein`;
+      }
+      const date = new Date(value);
+      if (isNaN(date.getTime())) {
+        return `${fieldName} ist kein gültiges Datum`;
+      }
+    }
+    return null;
+  },
+
+  /**
+   * Enum-Wert prüfen
+   */
+  enum: (value, allowedValues, fieldName) => {
+    if (value && !allowedValues.includes(value)) {
+      return `${fieldName} muss einer der folgenden Werte sein: ${allowedValues.join(', ')}`;
+    }
+    return null;
+  },
+
+  /**
+   * Hex-Farbe prüfen
+   */
+  hexColor: (value, fieldName) => {
+    if (value) {
+      const hexRegex = /^#([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/;
+      if (!hexRegex.test(value)) {
+        return `${fieldName} muss eine gültige Hex-Farbe sein (z.B. #FF0000)`;
+      }
+    }
+    return null;
+  }
+};
+
+/**
+ * Passwort-Richtlinien prüfen
+ */
+function validatePassword(password) {
+  const errors = [];
+  const minLength = 8;
+
+  if (!password || password.length < minLength) {
+    errors.push(`Passwort muss mindestens ${minLength} Zeichen haben`);
+  }
+
+  if (password && !/[a-z]/.test(password)) {
+    errors.push('Passwort muss mindestens einen Kleinbuchstaben enthalten');
+  }
+
+  if (password && !/[A-Z]/.test(password)) {
+    errors.push('Passwort muss mindestens einen Großbuchstaben enthalten');
+  }
+
+  if (password && !/[0-9]/.test(password)) {
+    errors.push('Passwort muss mindestens eine Zahl enthalten');
+  }
+
+  return errors;
+}
+
+/**
+ * Express Middleware: Request-Body bereinigen
+ */
+function sanitizeMiddleware(req, res, next) {
+  if (req.body && typeof req.body === 'object') {
+    req.body = sanitizeObject(req.body);
+  }
+
+  if (req.query && typeof req.query === 'object') {
+    req.query = sanitizeObject(req.query);
+  }
+
+  if (req.params && typeof req.params === 'object') {
+    req.params = sanitizeObject(req.params);
+  }
+
+  next();
+}
+
+module.exports = {
+  stripHtml,
+  sanitizeMarkdown,
+  sanitizeObject,
+  validators,
+  validatePassword,
+  sanitizeMiddleware
+};