- Reject a non-absolute / non-http(s) BaseUrl and an implausible (not 5- or
6-field) cron expression before the section is written to disk, mirroring the
existing storage-path validation (snackbar + early return).
- Add a hint to the BaseUrl field. Cron check is a lightweight UI guard; the
worker still does the authoritative Cronos parse at startup.
- EventListShell: detach the Elapsed handler before disposing the refresh timer
(both StartTimer and Dispose) to stop a leaked subscription firing on a
torn-down component; log the two previously-silent catches.
- Insights: log the previously-silent report-load catch.
- EventOddsParser: narrow catch(Exception) to catch(ArgumentException) so only
the OddsRate/OddsValue/Bet guard-clause throws are swallowed.
- AnomalyEvidenceData: make the JSON DTOs init-only per the immutability convention.
- Settings: remove a dead DialogParameters block.
Five MEDIUM-tier security findings from the review. None were exploitable in
the single-user desktop threat model, but each is hardening for future hosts
(server / multi-user) and for the case of an upstream compromise.
* EventListingParserBase: scraped data-event-path values are now run through
IsSafeRelativePath before being concatenated into request URLs. Rejects
scheme://host/* patterns, leading slash/backslash (network-path traversal),
".." traversal, control characters (CRLF log forging), and path lengths
greater than 512.
* ScrapingModule.ResolveBaseAddress: configured Scraping:BaseUrl is now
validated through an https-only allow-list (marathonbet.by + subdomains).
Falls back to the default base URL when the value is missing, malformed,
off-host, or carries userinfo / query / fragment. Settings UI may write
arbitrary strings to this key — a typo or worse could otherwise re-point
every subsequent request at an unrelated host.
* JsonSettingsWriter.WriteRootAsync: temp-file write now FlushAsync +
Flush(flushToDisk: true) before the rename so a crash mid-write doesn't
leave a 0-byte appsettings.Local.json. Promote the rename from File.Move
(overwrite=true, not atomic on NTFS for cross-volume cases) to
File.Replace (atomic on NTFS, keeps a .bak copy of the previous file).
Falls back to File.Move when the destination doesn't exist yet.
* StoragePathValidator + Settings.razor wiring: DatabasePath and
ExportDirectory paths from the Settings page are validated before persist.
Rejects empty values, ".." traversal, control characters, and any path
that resolves outside AppContext.BaseDirectory. Adds 4 new RU+EN keys for
the validation messages.
* Logged scraper paths: covered transitively by the EventPath validation
above (the upstream of every logged {Path} value), so no separate
sanitization needed.
alexei.dolgolyov