From 81e060102f8a08dc853bdb7a877d2e8b3deffde5 Mon Sep 17 00:00:00 2001 From: Rex Lorenzo Date: Tue, 16 Jun 2026 14:45:56 -0700 Subject: [PATCH] fix(directory): harden VMACS query construction - URL-encode the login ID (Uri.EscapeDataString) before interpolating it into the VMACS query URL so reserved characters can't alter the request. - Extract the fixed AUTH token into a named VmacsAuthToken constant instead of a magic literal in the URL string. - Drop a no-op .ToString() on the interpolated string. loginID is a DB-sourced campus login (low exploitability) and the AUTH token is a fixed internal-endpoint value, so this is hygiene/hardening, not a vulnerability fix. --- web/Areas/Directory/Services/VMACSService.cs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/web/Areas/Directory/Services/VMACSService.cs b/web/Areas/Directory/Services/VMACSService.cs index bc71f751a..581031923 100644 --- a/web/Areas/Directory/Services/VMACSService.cs +++ b/web/Areas/Directory/Services/VMACSService.cs @@ -7,6 +7,9 @@ namespace Viper.Areas.Directory.Services { public class VMACSService { + // Fixed token required by the internal VMACS trust endpoint (not a rotating secret). + private const string VmacsAuthToken = "06232005"; + private static HttpClient sharedClient = new() { BaseAddress = new Uri("https://vmacs-vmth.vetmed.ucdavis.edu"), @@ -21,7 +24,8 @@ protected VMACSService() { } public static async Task Search(String? loginID) { - string request = $"/trust/query.xml?dbfile=3&index=CampusLoginId&find={loginID}&format=CHRIS4&AUTH=06232005".ToString(); + string encodedLoginId = Uri.EscapeDataString(loginID ?? string.Empty); + string request = $"/trust/query.xml?dbfile=3&index=CampusLoginId&find={encodedLoginId}&format=CHRIS4&AUTH={VmacsAuthToken}"; using HttpResponseMessage response = await sharedClient.GetAsync(request); if (!response.IsSuccessStatusCode) {