Severity: Critical
File: src/Servy.Core/Native/NativeMethods.cs
Lines: 386–399
Description:
The username validation regex @"^(?:[\w\s\.-]+|\.)\[\w\s\.@!-]+\$?$" contains the character class [@!-] where !- is interpreted as a character range from ! (ASCII 33) to - (ASCII 45). This inadvertently permits characters ", #, $, %, &, ', (, ), *, +, , in the username field. While Windows usernames cannot actually contain most of these characters, this is a subtle regex bug that could allow malformed input to pass validation.
Suggested fix:
Escape the hyphen in the character class: [@!\-] or move it to the end of the class: [@!-] → [@!\x2D] or [!@-].
Severity: Critical
File:
src/Servy.Core/Native/NativeMethods.csLines: 386–399
Description:
The username validation regex
@"^(?:[\w\s\.-]+|\.)\[\w\s\.@!-]+\$?$"contains the character class[@!-]where!-is interpreted as a character range from!(ASCII 33) to-(ASCII 45). This inadvertently permits characters",#,$,%,&,',(,),*,+,,in the username field. While Windows usernames cannot actually contain most of these characters, this is a subtle regex bug that could allow malformed input to pass validation.Suggested fix:
Escape the hyphen in the character class:
[@!\-]or move it to the end of the class:[@!-]→[@!\x2D]or[!@-].