alexei.dolgolyov
537b78ab83
Five MEDIUM-tier security findings from the review. None were exploitable in
the single-user desktop threat model, but each is hardening for future hosts
(server / multi-user) and for the case of an upstream compromise.
* EventListingParserBase: scraped data-event-path values are now run through
IsSafeRelativePath before being concatenated into request URLs. Rejects
scheme://host/* patterns, leading slash/backslash (network-path traversal),
".." traversal, control characters (CRLF log forging), and path lengths
greater than 512.
* ScrapingModule.ResolveBaseAddress: configured Scraping:BaseUrl is now
validated through an https-only allow-list (marathonbet.by + subdomains).
Falls back to the default base URL when the value is missing, malformed,
off-host, or carries userinfo / query / fragment. Settings UI may write
arbitrary strings to this key — a typo or worse could otherwise re-point
every subsequent request at an unrelated host.
* JsonSettingsWriter.WriteRootAsync: temp-file write now FlushAsync +
Flush(flushToDisk: true) before the rename so a crash mid-write doesn't
leave a 0-byte appsettings.Local.json. Promote the rename from File.Move
(overwrite=true, not atomic on NTFS for cross-volume cases) to
File.Replace (atomic on NTFS, keeps a .bak copy of the previous file).
Falls back to File.Move when the destination doesn't exist yet.
* StoragePathValidator + Settings.razor wiring: DatabasePath and
ExportDirectory paths from the Settings page are validated before persist.
Rejects empty values, ".." traversal, control characters, and any path
that resolves outside AppContext.BaseDirectory. Adds 4 new RU+EN keys for
the validation messages.
* Logged scraper paths: covered transitively by the EventPath validation
above (the upstream of every logged {Path} value), so no separate
sanitization needed.
maraphon-app
Sports betting odds analyzer for marathonbet.by.
Scrapes pre-match (/su) and live (/su/live) sports events, tracks coefficient changes
over time, and detects anomalies — in particular the "odds-flip" pattern where the
bookmaker freezes betting and then inverts underdog/favorite odds.
Tech stack
- .NET 8 + C# 12
- Blazor Hybrid — WPF shell hosting
BlazorWebView(designed to migrate to ASP.NET Core Blazor Server with no UI rewrite) - EF Core + SQLite (WAL mode) for local storage
- ClosedXML for Excel export
- AngleSharp for HTML scraping (with Playwright fallback for JS-rendered pages)
- Polly v8 for retry / circuit breaker / rate limiting
- MudBlazor UI components, Plotly.Blazor for charts
- Serilog structured logging
- xUnit / FluentAssertions / NSubstitute for tests
Project layout
src/
Marathon.Domain/ entities, value objects, no dependencies
Marathon.Application/ use cases, abstractions (IOddsScraper, IRepository, ...)
Marathon.Infrastructure/ EF Core, scraping, Polly, Excel, Playwright
Marathon.UI/ Razor Class Library — all Blazor components live here
Marathon.Hosts.WpfBlazor/ WPF + BlazorWebView host (replaceable for web)
tests/
Marathon.*.Tests/ unit + integration tests per layer
Build & run
dotnet build Marathon.sln
dotnet test Marathon.sln
dotnet run --project src/Marathon.Hosts.WpfBlazor
Configuration
All variable parameters (polling intervals, concurrency, user-agents, retry policy,
snapshot retention, locale) are exposed via appsettings.json and live-editable via
the in-app Settings page.
Status
🟡 In active development. See plans/initial-implementation/PLAN.md
for the current phase plan and progress.
License
Private — customer project.