alexei.dolgolyov/maraphon-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): validate scraped paths, BaseUrl, settings paths + atomic write

Browse Source 
Five MEDIUM-tier security findings from the review. None were exploitable in
the single-user desktop threat model, but each is hardening for future hosts
(server / multi-user) and for the case of an upstream compromise.

* EventListingParserBase: scraped data-event-path values are now run through
  IsSafeRelativePath before being concatenated into request URLs. Rejects
  scheme://host/* patterns, leading slash/backslash (network-path traversal),
  ".." traversal, control characters (CRLF log forging), and path lengths
  greater than 512.

* ScrapingModule.ResolveBaseAddress: configured Scraping:BaseUrl is now
  validated through an https-only allow-list (marathonbet.by + subdomains).
  Falls back to the default base URL when the value is missing, malformed,
  off-host, or carries userinfo / query / fragment. Settings UI may write
  arbitrary strings to this key — a typo or worse could otherwise re-point
  every subsequent request at an unrelated host.

* JsonSettingsWriter.WriteRootAsync: temp-file write now FlushAsync +
  Flush(flushToDisk: true) before the rename so a crash mid-write doesn't
  leave a 0-byte appsettings.Local.json. Promote the rename from File.Move
  (overwrite=true, not atomic on NTFS for cross-volume cases) to
  File.Replace (atomic on NTFS, keeps a .bak copy of the previous file).
  Falls back to File.Move when the destination doesn't exist yet.

* StoragePathValidator + Settings.razor wiring: DatabasePath and
  ExportDirectory paths from the Settings page are validated before persist.
  Rejects empty values, ".." traversal, control characters, and any path
  that resolves outside AppContext.BaseDirectory. Adds 4 new RU+EN keys for
  the validation messages.

* Logged scraper paths: covered transitively by the EventPath validation
  above (the upstream of every logged {Path} value), so no separate
  sanitization needed.
This commit is contained in:
Admin
2026-05-09 15:50:52 +03:00
parent c2934b2c8d
commit 537b78ab83
7 changed files with 210 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Marathon.UI/Pages/Settings.razor
+12
View File
@@ -230,6 +230,18 @@
private async Task SaveSectionAsync<T>(string section, T payload) where T : class
{
// Section-level validation — fails fast before disk write so the
// user sees the snackbar immediately and the JSON file isn't touched.
if (payload is StorageOptions storage)
{
var errorKey = StoragePathValidator.Validate(storage);
if (errorKey is not null)
{
Snackbar.Add(L[errorKey], Severity.Error);
return;
}
}
var confirmed = await ConfirmAsync();
if (!confirmed)
{