fix(directory): harden VMACS query construction#226
Conversation
Bundle ReportBundle size has no change ✅ |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #226 +/- ##
==========================================
- Coverage 44.51% 44.51% -0.01%
==========================================
Files 895 895
Lines 51760 51761 +1
Branches 4827 4828 +1
==========================================
Hits 23041 23041
- Misses 28149 28150 +1
Partials 570 570
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the Directory area’s VMACS lookup by URL-encoding the loginID value before it’s interpolated into the outbound query string, preventing reserved characters from altering the request.
Changes:
- Encode
loginIDviaUri.EscapeDataString(loginID ?? string.Empty)before building the VMACS query URL. - Remove a no-op
.ToString()call on an already-stringinterpolated value.
rlorenzo
force-pushed
the
fix/vmacs-url-encode-loginid
branch
from
c372293 to
2767fcb
Compare
rlorenzo
changed the title
| public class VMACSService | ||
| { | ||
| // Fixed token required by the internal VMACS trust endpoint (not a rotating secret). | ||
| private const string VmacsAuthToken = "06232005"; |
There was a problem hiding this comment.
@bsedwards Should this be a config value?
rlorenzo
force-pushed
the
fix/vmacs-url-encode-loginid
branch
from
2767fcb to
4a2c7c9
Compare
- URL-encode the login ID (Uri.EscapeDataString) before interpolating it into the VMACS query URL so reserved characters can't alter the request. - Extract the fixed AUTH token into a named VmacsAuthToken constant instead of a magic literal in the URL string. - Drop a no-op .ToString() on the interpolated string. loginID is a DB-sourced campus login (low exploitability) and the AUTH token is a fixed internal-endpoint value, so this is hygiene/hardening, not a vulnerability fix.
rlorenzo
force-pushed
the
fix/vmacs-url-encode-loginid
branch
from
4a2c7c9 to
81e0601
Compare
|
@coderabbitai full review |
✅ Action performedFull review finished. |
📝 WalkthroughWalkthroughVMACSService now stores the VMACS AUTH token in a constant and uses it when building the trust query. The ChangesVMACS trust query update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@web/Areas/Directory/Services/VMACSService.cs`:
- Around line 27-28: The URL construction in VMACSService is still embedded in
the lookup logic, so pull the request-building portion out into a small helper
method (for example, in the same service near the login lookup path) that takes
the login ID and returns the encoded query string. Then add focused tests
against that helper to cover null, spaces, +, &, and = cases so the
Uri.EscapeDataString behavior and request format in the lookup path are
independently verifiable.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: bd9770b9-c6b2-4fcf-885c-070c57819dc7
📒 Files selected for processing (1)
web/Areas/Directory/Services/VMACSService.cs
| string encodedLoginId = Uri.EscapeDataString(loginID ?? string.Empty); | ||
| string request = $"/trust/query.xml?dbfile=3&index=CampusLoginId&find={encodedLoginId}&format=CHRIS4&AUTH={VmacsAuthToken}"; |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win
Make the query builder independently testable.
Line 27-28 changed lookup semantics, but this path still has no patch coverage. Pull the URL construction into a small helper and add cases for null, spaces, +, &, and = so encoding regressions fail fast.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@web/Areas/Directory/Services/VMACSService.cs` around lines 27 - 28, The URL
construction in VMACSService is still embedded in the lookup logic, so pull the
request-building portion out into a small helper method (for example, in the
same service near the login lookup path) that takes the login ID and returns the
encoded query string. Then add focused tests against that helper to cover null,
spaces, +, &, and = cases so the Uri.EscapeDataString behavior and request
format in the lookup path are independently verifiable.
What
Two small hardening changes to
VMACSService.Search:Uri.EscapeDataString(loginID ?? string.Empty)before interpolating into the query URL, so reserved characters can't alter the request. Also drops a no-op.ToString().AUTHtoken to a named constant —VmacsAuthTokeninstead of a magic literal in the URL string.Why
Both surfaced during the CodeQL/agy review work.
loginIDis a DB-sourced campus login (AaudUser.LoginId, passed by bothDirectoryControllercall sites), so exploitability is low; theAUTHvalue is a fixed internal-endpoint token, not a rotating secret. This is hygiene, not a vulnerability fix.Scope note
The agy review suggested further changes (read the response stream directly instead of string→bytes→
MemoryStream, and externalize the token/URL via config + DI). Those are behavior-adjacent / architectural and were deliberately kept out to keep this PR scoped; recommend a separate ticket for the static→DI refactor.