Five MEDIUM-tier security findings from the review. None were exploitable in
the single-user desktop threat model, but each is hardening for future hosts
(server / multi-user) and for the case of an upstream compromise.
* EventListingParserBase: scraped data-event-path values are now run through
IsSafeRelativePath before being concatenated into request URLs. Rejects
scheme://host/* patterns, leading slash/backslash (network-path traversal),
".." traversal, control characters (CRLF log forging), and path lengths
greater than 512.
* ScrapingModule.ResolveBaseAddress: configured Scraping:BaseUrl is now
validated through an https-only allow-list (marathonbet.by + subdomains).
Falls back to the default base URL when the value is missing, malformed,
off-host, or carries userinfo / query / fragment. Settings UI may write
arbitrary strings to this key — a typo or worse could otherwise re-point
every subsequent request at an unrelated host.
* JsonSettingsWriter.WriteRootAsync: temp-file write now FlushAsync +
Flush(flushToDisk: true) before the rename so a crash mid-write doesn't
leave a 0-byte appsettings.Local.json. Promote the rename from File.Move
(overwrite=true, not atomic on NTFS for cross-volume cases) to
File.Replace (atomic on NTFS, keeps a .bak copy of the previous file).
Falls back to File.Move when the destination doesn't exist yet.
* StoragePathValidator + Settings.razor wiring: DatabasePath and
ExportDirectory paths from the Settings page are validated before persist.
Rejects empty values, ".." traversal, control characters, and any path
that resolves outside AppContext.BaseDirectory. Adds 4 new RU+EN keys for
the validation messages.
* Logged scraper paths: covered transitively by the EventPath validation
above (the upstream of every logged {Path} value), so no separate
sanitization needed.
alexei.dolgolyov
537b78ab83