Misc. security improvements (#3200)

* Add x-security-critical to swagger schema and do not serialize LicenseID on IPC * Apply feedback * Misc.
2026-01-01 14:10:53 +00:00 · 2024-05-10 13:22:26 +02:00
parent dfa6330821
commit 81789c717f
3 changed files with 62 additions and 2 deletions
--- a/ArchiSteamFarm/IPC/Integration/SwaggerSecurityCriticalAttribute.cs
+++ b/ArchiSteamFarm/IPC/Integration/SwaggerSecurityCriticalAttribute.cs
@@ -0,0 +1,45 @@
+// ----------------------------------------------------------------------------------------------
+//     _                _      _  ____   _                           _____
+//    / \    _ __  ___ | |__  (_)/ ___| | |_  ___   __ _  _ __ ___  |  ___|__ _  _ __  _ __ ___
+//   / _ \  | '__|/ __|| '_ \ | |\___ \ | __|/ _ \ / _` || '_ ` _ \ | |_  / _` || '__|| '_ ` _ \
+//  / ___ \ | |  | (__ | | | || | ___) || |_|  __/| (_| || | | | | ||  _|| (_| || |   | | | | | |
+// /_/   \_\|_|   \___||_| |_||_||____/  \__|\___| \__,_||_| |_| |_||_|   \__,_||_|   |_| |_| |_|
+// ----------------------------------------------------------------------------------------------
+// |
+// Copyright 2015-2024 Łukasz "JustArchi" Domeradzki
+// Contact: JustArchi@JustArchi.net
+// |
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// |
+// http://www.apache.org/licenses/LICENSE-2.0
+// |
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using JetBrains.Annotations;
+using Microsoft.OpenApi.Any;
+using Microsoft.OpenApi.Extensions;
+using Microsoft.OpenApi.Models;
+
+namespace ArchiSteamFarm.IPC.Integration;
+
+[PublicAPI]
+public sealed class SwaggerSecurityCriticalAttribute : CustomSwaggerAttribute {
+	private const string ExtensionName = "x-security-critical";
+
+	public override void Apply(OpenApiSchema schema) {
+		ArgumentNullException.ThrowIfNull(schema);
+
+		if (schema.Items is { Reference: null }) {
+			schema.Items.AddExtension(ExtensionName, new OpenApiBoolean(true));
+		} else {
+			schema.AddExtension(ExtensionName, new OpenApiBoolean(true));
+		}
+	}
+}
--- a/ArchiSteamFarm/Steam/Storage/BotConfig.cs
+++ b/ArchiSteamFarm/Steam/Storage/BotConfig.cs
@@ -232,6 +232,7 @@ public sealed class BotConfig {
 	}

 	[JsonInclude]
+	[SwaggerSecurityCritical]
 	public string? SteamPassword {
 		get => BackingSteamPassword;

--- a/ArchiSteamFarm/Storage/GlobalConfig.cs
+++ b/ArchiSteamFarm/Storage/GlobalConfig.cs
@@ -251,6 +251,7 @@ public sealed class GlobalConfig {
 	public bool IPC { get; private init; } = DefaultIPC;

 	[JsonInclude]
+	[SwaggerSecurityCritical]
 	public string? IPCPassword {
 		get => BackingIPCPassword;

@@ -265,7 +266,15 @@ public sealed class GlobalConfig {

 	[JsonConverter(typeof(GuidJsonConverter))]
 	[JsonInclude]
-	public Guid? LicenseID { get; private init; } = DefaultLicenseID;
+	[SwaggerSecurityCritical]
+	public Guid? LicenseID {
+		get => BackingLicenseID;
+
+		private set {
+			IsLicenseIdSet = true;
+			BackingLicenseID = value;
+		}
+	}

 	[JsonInclude]
 	[Range(byte.MinValue, byte.MaxValue)]
@@ -327,6 +336,8 @@ public sealed class GlobalConfig {
 	[JsonInclude]
 	public string? WebProxyUsername { get; private init; } = DefaultWebProxyUsername;

+	internal bool IsLicenseIdSet;
+
 	[JsonExtensionData]
 	[JsonInclude]
 	internal Dictionary<string, JsonElement>? AdditionalProperties { get; set; }
@@ -337,6 +348,7 @@ public sealed class GlobalConfig {
 	internal bool Saving { get; set; }

 	[JsonInclude]
+	[SwaggerSecurityCritical]
 	internal string? WebProxyPassword {
 		get => BackingWebProxyPassword;

@@ -347,6 +359,8 @@ public sealed class GlobalConfig {
 	}

 	private string? BackingIPCPassword = DefaultIPCPassword;
+
+	private Guid? BackingLicenseID = DefaultLicenseID;
 	private WebProxy? BackingWebProxy;
 	private string? BackingWebProxyPassword = DefaultWebProxyPassword;

@@ -419,7 +433,7 @@ public sealed class GlobalConfig {
 	public bool ShouldSerializeIPCPasswordFormat() => !Saving || (IPCPasswordFormat != DefaultIPCPasswordFormat);

 	[UsedImplicitly]
-	public bool ShouldSerializeLicenseID() => !Saving || ((LicenseID != DefaultLicenseID) && (LicenseID != Guid.Empty));
+	public bool ShouldSerializeLicenseID() => Saving && IsLicenseIdSet && (LicenseID != DefaultLicenseID) && (LicenseID != Guid.Empty);

 	[UsedImplicitly]
 	public bool ShouldSerializeLoginLimiterDelay() => !Saving || (LoginLimiterDelay != DefaultLoginLimiterDelay);