Description
The import validators only verify that Name and ExecutablePath are present:
src/Servy.Core/Helpers/XmlServiceValidator.cs (lines 79–95)src/Servy.Core/Helpers/JsonServiceValidator.cs (lines 47–62)
Zero validation on numeric fields (HeartbeatInterval, RotationSize, MaxRestartAttempts, StartTimeout, StopTimeout, etc.) or string lengths. A crafted config file can set:
RotationSize to -1 → disables log rotation silentlyHeartbeatInterval to 0 → health monitoring ineffectiveStopTimeout to int.MaxValue → uint overflow in SCM timeoutName to a megabyte-long string → DB corruption, path issues
These values flow directly into SQLite via UpsertAsync and are used at service runtime without further checks.
Severity
Warning — crafted import files can persist dangerous values into the database.
Suggested fix
Apply the same validation rules used by ServiceInstallValidator to imported configurations before persisting to the database.
Description
The import validators only verify that
NameandExecutablePathare present:src/Servy.Core/Helpers/XmlServiceValidator.cs(lines 79–95)src/Servy.Core/Helpers/JsonServiceValidator.cs(lines 47–62)Zero validation on numeric fields (
HeartbeatInterval,RotationSize,MaxRestartAttempts,StartTimeout,StopTimeout, etc.) or string lengths. A crafted config file can set:RotationSizeto -1 → disables log rotation silentlyHeartbeatIntervalto 0 → health monitoring ineffectiveStopTimeoutto int.MaxValue → uint overflow in SCM timeoutNameto a megabyte-long string → DB corruption, path issuesThese values flow directly into SQLite via
UpsertAsyncand are used at service runtime without further checks.Severity
Warning — crafted import files can persist dangerous values into the database.
Suggested fix
Apply the same validation rules used by
ServiceInstallValidatorto imported configurations before persisting to the database.