fix security issue caused by passing the project file name directly i…

…nstead of looking up the project in the project list.
sillsdev · Jun 14, 2024 · 64c53e7 · 64c53e7
1 parent 386af71
commit 64c53e7
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/backend/LocalWebApp/Services/ImportFwdataService.cs b/backend/LocalWebApp/Services/ImportFwdataService.cs
@@ -10,8 +10,13 @@ public class ImportFwdataService(ProjectsService projectsService, ILogger<Import
 {
     public async Task<CrdtProject> Import(string projectName)
     {
-        using var fwDataApi = fwDataFactory.GetFwDataMiniLcmApi(projectName, false);
-        var project = await projectsService.CreateProject(Path.GetFileNameWithoutExtension(projectName),
+        var fwDataProject = FieldWorksProjectList.GetProject(projectName);
+        if (fwDataProject is null)
+        {
+            throw new InvalidOperationException($"Project {projectName} not found.");
+        }
+        using var fwDataApi = fwDataFactory.GetFwDataMiniLcmApi(fwDataProject, false);
+        var project = await projectsService.CreateProject(fwDataProject.Name,
             afterCreate: async (provider, project) =>
             {
                 var crdtApi = provider.GetRequiredService<ILexboxApi>();