alexei.dolgolyov/maraphon-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): bound bet-notes length + harden EventId against path/control chars

Browse Source 
Two defense-in-depth findings from the I-series security review (both safe today,
neither currently exploitable):
- AddBetForm.Notes was unbounded free-text into SQLite; add a 2000-char sanity cap
  in IsValid (covers both the add and edit paths), alongside the existing stake/rate
  caps.
- EventId only rejected empty/whitespace; now also reject path separators, '..'
  traversal, control/newline chars and over-length input so no current-or-future
  consumer that builds a path/filename/log line from an id can be tricked. The
  charset stays open for forward-compat with non-numeric bookmaker ids.
This commit is contained in:
Admin
2026-05-29 14:14:12 +03:00
parent 690d98d194
commit 0683e348ba
4 changed files with 116 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Marathon.Domain.Tests/ValueObjects/EventIdTests.cs
+35
View File
@@ -31,6 +31,41 @@ public sealed class EventIdTests
.WithParameterName("value");
}
[Theory]
[InlineData("a/b")] // forward slash (path separator)
[InlineData("a\\b")] // back slash (path separator)
[InlineData("..")] // parent-dir traversal
[InlineData("../etc/passwd")]
[InlineData("evt\n1")] // control char (newline)
[InlineData("evt\r1")] // control char (CR)
[InlineData("evt\0id")] // control char (NUL)
public void Constructor_ThrowsArgumentException_WhenValueHasDangerousCharacters(string value)
{
var act = () => new EventId(value);
act.Should().Throw<ArgumentException>()
.WithParameterName("value");
}
[Fact]
public void Constructor_ThrowsArgumentException_WhenValueExceedsMaxLength()
{
var act = () => new EventId(new string('1', 129));
act.Should().Throw<ArgumentException>()
.WithParameterName("value");
}
[Theory]
[InlineData("26456117")] // numeric (marathonbet.by)
[InlineData("evt-1")] // hyphenated
[InlineData("event_1")] // underscore
[InlineData("evt.1")] // single dot is fine — only ".." is rejected
[InlineData("AB12cd34")] // mixed-case alphanumeric (forward-compat)
public void Constructor_Accepts_ValidAndForwardCompatIds(string value)
{
var id = new EventId(value);
id.Value.Should().Be(value);
}
[Fact]
public void ToString_ReturnsValue()
{