Bug Description
SourceName is interpolated directly into an XPath query string without escaping. Currently the source is hardcoded to "Servy" so the immediate risk is low, but the pattern is fragile and would allow XPath injection if the source were ever configurable or contained a single quote.
Location
File: src/Servy.Core/Services/EventLogService.cs
Lines: 47, 54, 59
Code
systemFilters.Add($"Provider[@Name='{SourceName}']");
systemFilters.Add($"TimeCreated[@SystemTime >= '{startUtc:o}']");
systemFilters.Add($"TimeCreated[@SystemTime <= '{endUtc:o}']");Suggested Fix
Escape single quotes in interpolated values, or use SecurityElement.Escape():
var escapedName = SourceName.Replace("'", "'");
systemFilters.Add($"Provider[@Name='{escapedName}']");Severity
Warning
Bug Description
SourceNameis interpolated directly into an XPath query string without escaping. Currently the source is hardcoded to"Servy"so the immediate risk is low, but the pattern is fragile and would allow XPath injection if the source were ever configurable or contained a single quote.Location
File:
src/Servy.Core/Services/EventLogService.csLines: 47, 54, 59
Code
Suggested Fix
Escape single quotes in interpolated values, or use
SecurityElement.Escape():Severity
Warning