From 81789c717f137efe94d0111482c75c55954d1e66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20G=C3=B6ls?=
 <6608231+Abrynos@users.noreply.github.com>
Date: Fri, 10 May 2024 13:22:26 +0200
Subject: [PATCH] Misc. security improvements (#3200)

* Add x-security-critical to swagger schema and do not serialize LicenseID on IPC

* Apply feedback

* Misc.
---
 .../SwaggerSecurityCriticalAttribute.cs       | 45 +++++++++++++++++++
 ArchiSteamFarm/Steam/Storage/BotConfig.cs     |  1 +
 ArchiSteamFarm/Storage/GlobalConfig.cs        | 18 +++++++-
 3 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 ArchiSteamFarm/IPC/Integration/SwaggerSecurityCriticalAttribute.cs

diff --git a/ArchiSteamFarm/IPC/Integration/SwaggerSecurityCriticalAttribute.cs b/ArchiSteamFarm/IPC/Integration/SwaggerSecurityCriticalAttribute.cs
new file mode 100644
index 0000000000000..48e80b95a452e
--- /dev/null
+++ b/ArchiSteamFarm/IPC/Integration/SwaggerSecurityCriticalAttribute.cs
@@ -0,0 +1,45 @@
+// ----------------------------------------------------------------------------------------------
+//     _                _      _  ____   _                           _____
+//    / \    _ __  ___ | |__  (_)/ ___| | |_  ___   __ _  _ __ ___  |  ___|__ _  _ __  _ __ ___
+//   / _ \  | '__|/ __|| '_ \ | |\___ \ | __|/ _ \ / _` || '_ ` _ \ | |_  / _` || '__|| '_ ` _ \
+//  / ___ \ | |  | (__ | | | || | ___) || |_|  __/| (_| || | | | | ||  _|| (_| || |   | | | | | |
+// /_/   \_\|_|   \___||_| |_||_||____/  \__|\___| \__,_||_| |_| |_||_|   \__,_||_|   |_| |_| |_|
+// ----------------------------------------------------------------------------------------------
+// |
+// Copyright 2015-2024 Łukasz "JustArchi" Domeradzki
+// Contact: JustArchi@JustArchi.net
+// |
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// |
+// http://www.apache.org/licenses/LICENSE-2.0
+// |
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using JetBrains.Annotations;
+using Microsoft.OpenApi.Any;
+using Microsoft.OpenApi.Extensions;
+using Microsoft.OpenApi.Models;
+
+namespace ArchiSteamFarm.IPC.Integration;
+
+[PublicAPI]
+public sealed class SwaggerSecurityCriticalAttribute : CustomSwaggerAttribute {
+	private const string ExtensionName = "x-security-critical";
+
+	public override void Apply(OpenApiSchema schema) {
+		ArgumentNullException.ThrowIfNull(schema);
+
+		if (schema.Items is { Reference: null }) {
+			schema.Items.AddExtension(ExtensionName, new OpenApiBoolean(true));
+		} else {
+			schema.AddExtension(ExtensionName, new OpenApiBoolean(true));
+		}
+	}
+}
diff --git a/ArchiSteamFarm/Steam/Storage/BotConfig.cs b/ArchiSteamFarm/Steam/Storage/BotConfig.cs
index 6020a14c2e8d1..8f5a90eea9a3c 100644
--- a/ArchiSteamFarm/Steam/Storage/BotConfig.cs
+++ b/ArchiSteamFarm/Steam/Storage/BotConfig.cs
@@ -232,6 +232,7 @@ internal set {
 	}
 
 	[JsonInclude]
+	[SwaggerSecurityCritical]
 	public string? SteamPassword {
 		get => BackingSteamPassword;
 
diff --git a/ArchiSteamFarm/Storage/GlobalConfig.cs b/ArchiSteamFarm/Storage/GlobalConfig.cs
index 2fae7c19cb44b..acf87ef29745a 100644
--- a/ArchiSteamFarm/Storage/GlobalConfig.cs
+++ b/ArchiSteamFarm/Storage/GlobalConfig.cs
@@ -251,6 +251,7 @@ public WebProxy? WebProxy {
 	public bool IPC { get; private init; } = DefaultIPC;
 
 	[JsonInclude]
+	[SwaggerSecurityCritical]
 	public string? IPCPassword {
 		get => BackingIPCPassword;
 
@@ -265,7 +266,15 @@ internal set {
 
 	[JsonConverter(typeof(GuidJsonConverter))]
 	[JsonInclude]
-	public Guid? LicenseID { get; private init; } = DefaultLicenseID;
+	[SwaggerSecurityCritical]
+	public Guid? LicenseID {
+		get => BackingLicenseID;
+
+		private set {
+			IsLicenseIdSet = true;
+			BackingLicenseID = value;
+		}
+	}
 
 	[JsonInclude]
 	[Range(byte.MinValue, byte.MaxValue)]
@@ -327,6 +336,8 @@ internal set {
 	[JsonInclude]
 	public string? WebProxyUsername { get; private init; } = DefaultWebProxyUsername;
 
+	internal bool IsLicenseIdSet;
+
 	[JsonExtensionData]
 	[JsonInclude]
 	internal Dictionary<string, JsonElement>? AdditionalProperties { get; set; }
@@ -337,6 +348,7 @@ internal set {
 	internal bool Saving { get; set; }
 
 	[JsonInclude]
+	[SwaggerSecurityCritical]
 	internal string? WebProxyPassword {
 		get => BackingWebProxyPassword;
 
@@ -347,6 +359,8 @@ internal string? WebProxyPassword {
 	}
 
 	private string? BackingIPCPassword = DefaultIPCPassword;
+
+	private Guid? BackingLicenseID = DefaultLicenseID;
 	private WebProxy? BackingWebProxy;
 	private string? BackingWebProxyPassword = DefaultWebProxyPassword;
 
@@ -419,7 +433,7 @@ internal GlobalConfig() { }
 	public bool ShouldSerializeIPCPasswordFormat() => !Saving || (IPCPasswordFormat != DefaultIPCPasswordFormat);
 
 	[UsedImplicitly]
-	public bool ShouldSerializeLicenseID() => !Saving || ((LicenseID != DefaultLicenseID) && (LicenseID != Guid.Empty));
+	public bool ShouldSerializeLicenseID() => Saving && IsLicenseIdSet && (LicenseID != DefaultLicenseID) && (LicenseID != Guid.Empty);
 
 	[UsedImplicitly]
 	public bool ShouldSerializeLoginLimiterDelay() => !Saving || (LoginLimiterDelay != DefaultLoginLimiterDelay);