Skip to content

fix(directory): harden VMACS query construction#226

Open
rlorenzo wants to merge 1 commit into
mainfrom
fix/vmacs-url-encode-loginid
Open

fix(directory): harden VMACS query construction#226
rlorenzo wants to merge 1 commit into
mainfrom
fix/vmacs-url-encode-loginid

Conversation

@rlorenzo

@rlorenzo rlorenzo commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What

Two small hardening changes to VMACSService.Search:

  1. URL-encode the login IDUri.EscapeDataString(loginID ?? string.Empty) before interpolating into the query URL, so reserved characters can't alter the request. Also drops a no-op .ToString().
  2. Extract the AUTH token to a named constantVmacsAuthToken instead of a magic literal in the URL string.

Why

Both surfaced during the CodeQL/agy review work. loginID is a DB-sourced campus login (AaudUser.LoginId, passed by both DirectoryController call sites), so exploitability is low; the AUTH value is a fixed internal-endpoint token, not a rotating secret. This is hygiene, not a vulnerability fix.

Scope note

The agy review suggested further changes (read the response stream directly instead of string→bytes→MemoryStream, and externalize the token/URL via config + DI). Those are behavior-adjacent / architectural and were deliberately kept out to keep this PR scoped; recommend a separate ticket for the static→DI refactor.

@codecov-commenter

codecov-commenter commented Jun 16, 2026

Copy link
Copy Markdown

Bundle Report

Bundle size has no change ✅

@codecov-commenter

codecov-commenter commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.49%. Comparing base (f6dbe72) to head (2767fcb).

Files with missing lines Patch % Lines
web/Areas/Directory/Services/VMACSService.cs 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #226      +/-   ##
==========================================
- Coverage   44.49%   44.49%   -0.01%     
==========================================
  Files         895      895              
  Lines       51655    51656       +1     
  Branches     4812     4813       +1     
==========================================
  Hits        22983    22983              
- Misses      28108    28109       +1     
  Partials      564      564
Flag Coverage Δ
backend 44.64% <0.00%> (-0.01%) ⬇️
frontend 41.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@rlorenzo rlorenzo requested a review from Copilot June 16, 2026 22:36
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Directory area’s VMACS lookup by URL-encoding the loginID value before it’s interpolated into the outbound query string, preventing reserved characters from altering the request.

Changes:

  • Encode loginID via Uri.EscapeDataString(loginID ?? string.Empty) before building the VMACS query URL.
  • Remove a no-op .ToString() call on an already-string interpolated value.

@rlorenzo
fix(directory): harden VMACS query construction
2767fcb 
- URL-encode the login ID (Uri.EscapeDataString) before interpolating it
  into the VMACS query URL so reserved characters can't alter the request.
- Extract the fixed AUTH token into a named VmacsAuthToken constant
  instead of a magic literal in the URL string.
- Drop a no-op .ToString() on the interpolated string.

loginID is a DB-sourced campus login (low exploitability) and the AUTH
token is a fixed internal-endpoint value, so this is hygiene/hardening,
not a vulnerability fix.
@rlorenzo rlorenzo force-pushed the fix/vmacs-url-encode-loginid branch from c372293 to 2767fcb Compare June 17, 2026 02:07
@rlorenzo rlorenzo changed the title fix(directory): URL-encode VMACS login ID in query fix(directory): harden VMACS query construction Jun 17, 2026
@rlorenzo rlorenzo requested a review from Copilot June 17, 2026 02:07
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

rlorenzo
rlorenzo commented Jun 17, 2026
View reviewed changes
Comment thread web/Areas/Directory/Services/VMACSService.cs
public class VMACSService
{
// Fixed token required by the internal VMACS trust endpoint (not a rotating secret).
private const string VmacsAuthToken = "06232005";

@rlorenzo rlorenzo Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bsedwards Should this be a config value?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rlorenzo @codecov-commenter