From 5b25314e3c99d18dd73fe8b6c38893079516379c Mon Sep 17 00:00:00 2001
From: Stefanos Doumpoulakis <dubulak@gmail.com>
Date: Fri, 28 Feb 2025 17:54:34 +0200
Subject: [PATCH] fix: addressed vulnerability issues

---
 Tools/VECTOStart/StarterHelper.cs              | 16 ++++++++++++++--
 VECTO3GUI2020/Helper/ProcessHelper.cs          | 16 ++++++++++++++--
 .../VectoCommon/Exceptions/VectoExceptions.cs  |  3 ++-
 .../Impl/Electrics/SimpleAlternator.cs         | 11 +++++++++--
 .../OutputData/FileIO/FileOutputWriter.cs      | 18 ++++++++----------
 .../VectoCore/Utils/IterationStatistics.cs     |  7 +++++--
 6 files changed, 52 insertions(+), 19 deletions(-)

diff --git a/Tools/VECTOStart/StarterHelper.cs b/Tools/VECTOStart/StarterHelper.cs
index 80bf7a926f..71b70ddfd5 100644
--- a/Tools/VECTOStart/StarterHelper.cs
+++ b/Tools/VECTOStart/StarterHelper.cs
@@ -33,7 +33,7 @@ namespace TUGraz.VECTO
 				string argumentsString = "";
 				if (cmdArguments.Length > 0) {
 					foreach (var cmdArgument in cmdArguments) {
-						argumentsString += "\"" +  cmdArgument + "\" ";
+						argumentsString += "\"" +  SanitizeInput(cmdArgument) + "\" ";
 					}
 				}
 
@@ -59,7 +59,19 @@ namespace TUGraz.VECTO
 			}
 		}
 
-		private static void ValidateVersion(string version, params string[] validVersions)
+        public static string SanitizeInput(string input)
+        {
+            var disallowedChars = new char[] { '&', ';', '|', '$' };
+
+            foreach (var c in disallowedChars)
+            {
+                input = input.Replace(c.ToString(), string.Empty);
+            }
+
+            return input;
+        }
+
+        private static void ValidateVersion(string version, params string[] validVersions)
 		{
 			if (!((IList)validVersions).Contains(version))
 				throw new Exception($"Invalid .NET Version supplied. Only the following values are valid: {string.Join(", ", validVersions)}");
diff --git a/VECTO3GUI2020/Helper/ProcessHelper.cs b/VECTO3GUI2020/Helper/ProcessHelper.cs
index e8de544054..467d2c620a 100644
--- a/VECTO3GUI2020/Helper/ProcessHelper.cs
+++ b/VECTO3GUI2020/Helper/ProcessHelper.cs
@@ -55,7 +55,7 @@ namespace VECTO3GUI2020.Helper
 					}
 				}
 
-				argumentsString = argumentsStrBuilder.ToString();
+				argumentsString = SanitizeInput(argumentsStrBuilder.ToString());
 				Debug.WriteLine(argumentsString);
 			}
 
@@ -69,5 +69,17 @@ namespace VECTO3GUI2020.Helper
 			}
 		}
 
-	}
+        public static string SanitizeInput(string input)
+        {
+            var disallowedChars = new char[] { '&', ';', '|', '$' };
+
+            foreach (var c in disallowedChars)
+            {
+                input = input.Replace(c.ToString(), string.Empty);
+            }
+
+            return input;
+        }
+
+    }
 }
diff --git a/VectoCommon/VectoCommon/Exceptions/VectoExceptions.cs b/VectoCommon/VectoCommon/Exceptions/VectoExceptions.cs
index 725d24157b..77af5aef45 100644
--- a/VectoCommon/VectoCommon/Exceptions/VectoExceptions.cs
+++ b/VectoCommon/VectoCommon/Exceptions/VectoExceptions.cs
@@ -66,7 +66,8 @@ namespace TUGraz.VectoCommon.Exceptions
 		}
 	}
 
-	public class VectoXMLException : VectoException
+    [Serializable]
+    public class VectoXMLException : VectoException
 	{
 		protected VectoXMLException(SerializationInfo info, StreamingContext context) : base(info, context) { }
 		public VectoXMLException(string message) : base(message) { }
diff --git a/VectoCore/VectoCore/Models/BusAuxiliaries/DownstreamModules/Impl/Electrics/SimpleAlternator.cs b/VectoCore/VectoCore/Models/BusAuxiliaries/DownstreamModules/Impl/Electrics/SimpleAlternator.cs
index 02052660cf..c6cc436829 100644
--- a/VectoCore/VectoCore/Models/BusAuxiliaries/DownstreamModules/Impl/Electrics/SimpleAlternator.cs
+++ b/VectoCore/VectoCore/Models/BusAuxiliaries/DownstreamModules/Impl/Electrics/SimpleAlternator.cs
@@ -26,6 +26,13 @@ namespace TUGraz.VectoCore.Models.BusAuxiliaries.DownstreamModules.Impl.Electric
 
 		public string Source => null;
 
-		#endregion
-	}
+        #endregion
+
+        public override bool Equals(object obj)
+        {
+			var other = obj as SimpleAlternator;
+            return (other != null) && (other._efficiency == _efficiency);
+        }
+
+    }
 }
diff --git a/VectoCore/VectoCore/OutputData/FileIO/FileOutputWriter.cs b/VectoCore/VectoCore/OutputData/FileIO/FileOutputWriter.cs
index 6db81775f8..35b27396e3 100644
--- a/VectoCore/VectoCore/OutputData/FileIO/FileOutputWriter.cs
+++ b/VectoCore/VectoCore/OutputData/FileIO/FileOutputWriter.cs
@@ -209,17 +209,15 @@ namespace TUGraz.VectoCore.OutputData.FileIO
 
 		public virtual void WriteReport(ReportType type, Stream data)
 		{
-			Stream stream = null;
-			switch (type) {
-				case ReportType.DeclarationReportPdf:
-					stream = new FileStream(PDFReportName, FileMode.Create);
-					break;
-				default:
+			if (type != ReportType.DeclarationReportPdf)
+			{
+                throw new ArgumentOutOfRangeException($"ReportType is {type}, but {ReportType.DeclarationReportPdf} is expected.");
+            }
 
-					throw new ArgumentOutOfRangeException("type");
-			}
-			data.CopyToAsync(stream);
-			//stream.Write(data);
+			using (Stream stream = new FileStream(PDFReportName, FileMode.Create))
+			{
+                data.CopyToAsync(stream);
+            }
 		}
 	}
 }
\ No newline at end of file
diff --git a/VectoCore/VectoCore/Utils/IterationStatistics.cs b/VectoCore/VectoCore/Utils/IterationStatistics.cs
index 84fe222680..9d21f7cddd 100644
--- a/VectoCore/VectoCore/Utils/IterationStatistics.cs
+++ b/VectoCore/VectoCore/Utils/IterationStatistics.cs
@@ -127,8 +127,11 @@ namespace TUGraz.VectoCore.Utils
 				}
 				table.Rows.Add(row);
 			}
-			var writer = new StreamWriter("statistics_" + runName + ".csv");
-			VectoCSVFile.Write(writer, table);
+
+			using (var writer = new StreamWriter("statistics_" + runName + ".csv"))
+			{
+                VectoCSVFile.Write(writer, table);
+            }
 		}
 
 		public sealed class DataEntry
-- 
GitLab