maraphon-app

alexei.dolgolyov/maraphon-app

Fork 0

Commit Graph

Author	SHA1	Message	Date
alexei.dolgolyov	0683e348ba	fix(security): bound bet-notes length + harden EventId against path/control chars Two defense-in-depth findings from the I-series security review (both safe today, neither currently exploitable): - AddBetForm.Notes was unbounded free-text into SQLite; add a 2000-char sanity cap in IsValid (covers both the add and edit paths), alongside the existing stake/rate caps. - EventId only rejected empty/whitespace; now also reject path separators, '..' traversal, control/newline chars and over-length input so no current-or-future consumer that builds a path/filename/log line from an id can be tricked. The charset stays open for forward-compat with non-numeric bookmaker ids.	2026-05-29 14:14:12 +03:00

Author

SHA1

Message

Date

alexei.dolgolyov

0683e348ba

fix(security): bound bet-notes length + harden EventId against path/control chars

Two defense-in-depth findings from the I-series security review (both safe today,
neither currently exploitable):
- AddBetForm.Notes was unbounded free-text into SQLite; add a 2000-char sanity cap
  in IsValid (covers both the add and edit paths), alongside the existing stake/rate
  caps.
- EventId only rejected empty/whitespace; now also reject path separators, '..'
  traversal, control/newline chars and over-length input so no current-or-future
  consumer that builds a path/filename/log line from an id can be tricked. The
  charset stays open for forward-compat with non-numeric bookmaker ids.

2026-05-29 14:14:12 +03:00

1 Commits