Severity: Warning
File: src/Servy.Core/Helpers/AppFoldersHelper.cs (lines 86-95)
Code:
var dataSourcePrefix = \"Data Source=\";
var startIndex = connectionString.IndexOf(dataSourcePrefix, StringComparison.OrdinalIgnoreCase);
if (startIndex < 0)
throw new InvalidOperationException(\"Connection string does not contain 'Data Source='.\");
startIndex += dataSourcePrefix.Length;
var endIndex = connectionString.IndexOf(';', startIndex);
var dbFilePath = endIndex < 0
? connectionString.Substring(startIndex).Trim()
: connectionString.Substring(startIndex, endIndex - startIndex).Trim();Explanation:
This is a hand-rolled parser for the SQLite connection string. It works for simple cases like Data Source=C:\path\db.db;Version=3; but fails on perfectly legal SQLite connection strings:
- Quoted paths: SQLite allows
Data Source=\"C:\path with spaces\db.db\"; (or single-quoted, or backtick-quoted). The parser includes the surrounding quotes in dbFilePath, then Path.GetDirectoryName returns garbage or fails.
- Paths containing semicolons: rare but legal under quoting, e.g.
Data Source=\"C:\weird;path\db.db\";. The parser splits at the first ; it sees, truncating the path.
DataSource= (no space): ADO.NET happily accepts this form. The case-insensitive match still requires the literal Data Source with the space.- Custom keys /
; quoted within values: anything outside the strict format breaks silently.
The .NET BCL ships System.Data.Common.DbConnectionStringBuilder (and SQLite-specific subclasses) which already handle all of the above. Use it.
Suggested fix:
var sb = new System.Data.Common.DbConnectionStringBuilder { ConnectionString = connectionString };
if (!sb.TryGetValue(\"Data Source\", out var raw) && !sb.TryGetValue(\"DataSource\", out raw))
throw new InvalidOperationException(\"Connection string does not contain 'Data Source='.\");
var dbFilePath = (raw as string)?.Trim();
Severity: Warning
File: src/Servy.Core/Helpers/AppFoldersHelper.cs (lines 86-95)
Code:
Explanation:
This is a hand-rolled parser for the SQLite connection string. It works for simple cases like
Data Source=C:\path\db.db;Version=3;but fails on perfectly legal SQLite connection strings:Data Source=\"C:\path with spaces\db.db\";(or single-quoted, or backtick-quoted). The parser includes the surrounding quotes indbFilePath, thenPath.GetDirectoryNamereturns garbage or fails.Data Source=\"C:\weird;path\db.db\";. The parser splits at the first;it sees, truncating the path.DataSource=(no space): ADO.NET happily accepts this form. The case-insensitive match still requires the literalData Sourcewith the space.;quoted within values: anything outside the strict format breaks silently.The .NET BCL ships
System.Data.Common.DbConnectionStringBuilder(and SQLite-specific subclasses) which already handle all of the above. Use it.Suggested fix: