From 64c53e7a3db244bcf4c4c1b7c16451b6a6ffd2ea Mon Sep 17 00:00:00 2001
From: Kevin Hahn <kevin_hahn@sil.org>
Date: Fri, 14 Jun 2024 13:56:52 -0600
Subject: [PATCH] fix security issue caused by passing the project file name
 directly instead of looking up the project in the project list.

---
 backend/LocalWebApp/Services/ImportFwdataService.cs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/backend/LocalWebApp/Services/ImportFwdataService.cs b/backend/LocalWebApp/Services/ImportFwdataService.cs
index ef5e8bee6..5b9cb3b0a 100644
--- a/backend/LocalWebApp/Services/ImportFwdataService.cs
+++ b/backend/LocalWebApp/Services/ImportFwdataService.cs
@@ -10,8 +10,13 @@ public class ImportFwdataService(ProjectsService projectsService, ILogger<Import
 {
     public async Task<CrdtProject> Import(string projectName)
     {
-        using var fwDataApi = fwDataFactory.GetFwDataMiniLcmApi(projectName, false);
-        var project = await projectsService.CreateProject(Path.GetFileNameWithoutExtension(projectName),
+        var fwDataProject = FieldWorksProjectList.GetProject(projectName);
+        if (fwDataProject is null)
+        {
+            throw new InvalidOperationException($"Project {projectName} not found.");
+        }
+        using var fwDataApi = fwDataFactory.GetFwDataMiniLcmApi(fwDataProject, false);
+        var project = await projectsService.CreateProject(fwDataProject.Name,
             afterCreate: async (provider, project) =>
             {
                 var crdtApi = provider.GetRequiredService<ILexboxApi>();