fix: validate Google Maps and Analytics API keys before usage in views

Author: frasermolyneux

src/XtremeIdiots.Portal.Integrations.Forums/AdminActionTopics.cs

@@ -93,7 +93,7 @@ private string PostContent(AdminActionType type, Guid playerId, string username,
 
     private int ResolveForumId(AdminActionType type, GameType gameType)
     {
-        var defaultForumId = int.Parse(configuration["XtremeIdiots:Forums:DefaultForumId"] ?? "28");
+        var defaultForumId = int.TryParse(configuration["XtremeIdiots:Forums:DefaultForumId"], out var parsedForumId) ? parsedForumId : 28;
 
         var category = type switch
         {

src/XtremeIdiots.Portal.Web/Controllers/AdminActionsController.cs

@@ -24,9 +24,6 @@ public class AdminActionsController(
     ILogger<AdminActionsController> logger,
     IConfiguration configuration) : BaseController(telemetryClient, logger, configuration)
 {
-    private readonly string forumBaseUrl = (configuration["XtremeIdiots:Forums:TopicBaseUrl"] ?? "https://www.xtremeidiots.com/forums/topic/").TrimEnd('/') + "/";
-    private readonly string fallbackAdminId = configuration["XtremeIdiots:Forums:DefaultAdminUserId"] ?? "21145";
-    private readonly int tempBanDurationDays = int.TryParse(configuration["XtremeIdiots:Forums:DefaultTempBanDays"], out var days) ? days : 7;
 
     /// <summary>
     /// Displays the create admin action form for a specific player
@@ -63,7 +60,7 @@ public async Task<IActionResult> Create(Guid id, AdminActionType adminActionType
                 Type = adminActionType,
                 PlayerId = playerData.PlayerId,
                 PlayerDto = playerData,
-                Expires = adminActionType == AdminActionType.TempBan ? DateTime.UtcNow.AddDays(tempBanDurationDays) : null
+                Expires = adminActionType == AdminActionType.TempBan ? DateTime.UtcNow.AddDays(int.TryParse(configuration["XtremeIdiots:Forums:DefaultTempBanDays"], out var days) ? days : 7) : null
             };
 
             return View(createAdminActionViewModel);
@@ -607,12 +604,12 @@ public async Task<IActionResult> DeleteConfirmed(Guid id, Guid playerId, Cancell
 
     private string GetForumBaseUrl()
     {
-        return forumBaseUrl;
+        return (configuration["XtremeIdiots:Forums:TopicBaseUrl"] ?? "https://www.xtremeidiots.com/forums/topic/").TrimEnd('/') + "/";
     }
 
     private string GetFallbackAdminId()
     {
-        return fallbackAdminId;
+        return configuration["XtremeIdiots:Forums:DefaultAdminUserId"] ?? "21145";
     }
 
     private async Task<PlayerDto?> GetPlayerDataAsync(Guid playerId, CancellationToken cancellationToken = default)

src/XtremeIdiots.Portal.Web/Controllers/ServerAdminController.cs

@@ -48,9 +48,6 @@ public class ServerAdminController(
     ILogger<ServerAdminController> logger,
     IConfiguration configuration) : BaseController(telemetryClient, logger, configuration)
 {
-    private readonly string forumBaseUrl = (configuration["XtremeIdiots:Forums:TopicBaseUrl"] ?? "https://www.xtremeidiots.com/forums/topic/").TrimEnd('/') + "/";
-    private readonly string fallbackAdminId = configuration["XtremeIdiots:Forums:DefaultAdminUserId"] ?? "21145";
-    private readonly int tempBanDurationDays = int.TryParse(configuration["XtremeIdiots:Forums:DefaultTempBanDays"], out var days) ? days : 7;
 
     /// <summary>
     /// Displays the main server administration dashboard with available game servers
@@ -854,6 +851,8 @@ public async Task<IActionResult> TempBanRconPlayer(Guid id, int playerSlot, stri
                 }
 
                 // Create admin action record with expiry if we have a GUID
+                var tempBanDurationDays = int.TryParse(configuration["XtremeIdiots:Forums:DefaultTempBanDays"], out var days) ? days : 7;
+
                 if (!string.IsNullOrWhiteSpace(playerGuid))
                 {
                     var expiryDate = DateTime.UtcNow.AddDays(tempBanDurationDays);

src/XtremeIdiots.Portal.Web/Views/IPAddresses/Details.cshtml

@@ -309,7 +309,11 @@
 
 
 @section Scripts {
-    @if (Model.GeoLocation != null && Model.GeoLocation.Latitude != 0 && Model.GeoLocation.Longitude != 0 && !string.IsNullOrEmpty(Configuration["Google:MapsApiKey"]))
+    @{
+        var mapsApiKey = Configuration["Google:MapsApiKey"];
+        var isValidMapsApiKey = !string.IsNullOrEmpty(mapsApiKey) && System.Text.RegularExpressions.Regex.IsMatch(mapsApiKey, @"^[A-Za-z0-9_-]+$");
+    }
+    @if (Model.GeoLocation != null && Model.GeoLocation.Latitude != 0 && Model.GeoLocation.Longitude != 0 && isValidMapsApiKey)
     {
         <script type="text/javascript">
             function initMap() {
@@ -330,7 +334,7 @@
                 });
             }
         </script>
-        <script async defer src="https://maps.googleapis.com/maps/api/js?key=@Configuration["Google:MapsApiKey"]&signed_in=false&callback=initMap"></script>
+        <script async defer src="https://maps.googleapis.com/maps/api/js?key=@mapsApiKey&signed_in=false&callback=initMap"></script>
         <script src="~/js/ip-address-details.js" asp-append-version="true"></script>
     }
 }

src/XtremeIdiots.Portal.Web/Views/Players/Details.cshtml

@@ -470,9 +470,13 @@
 
     </script>
 
-    @if (!string.IsNullOrEmpty(Configuration["Google:MapsApiKey"]))
+    @{
+        var mapsApiKey = Configuration["Google:MapsApiKey"];
+        var isValidMapsApiKey = !string.IsNullOrEmpty(mapsApiKey) && System.Text.RegularExpressions.Regex.IsMatch(mapsApiKey, @"^[A-Za-z0-9_-]+$");
+    }
+    @if (isValidMapsApiKey)
     {
-        <script async defer src="https://maps.googleapis.com/maps/api/js?key=@Configuration["Google:MapsApiKey"]&signed_in=false&callback=initMap"></script>
+        <script async defer src="https://maps.googleapis.com/maps/api/js?key=@mapsApiKey&signed_in=false&callback=initMap"></script>
     }
     <script src="~/js/chatlog-index.js" asp-append-version="true"></script>
     <script src="~/js/player-details-tables.js" asp-append-version="true"></script>

src/XtremeIdiots.Portal.Web/Views/Servers/Map.cshtml

@@ -61,9 +61,13 @@
         }
     </script>
 
-    @if (!string.IsNullOrEmpty(Configuration["Google:MapsApiKey"]))
+    @{
+        var mapsApiKey = Configuration["Google:MapsApiKey"];
+        var isValidMapsApiKey = !string.IsNullOrEmpty(mapsApiKey) && System.Text.RegularExpressions.Regex.IsMatch(mapsApiKey, @"^[A-Za-z0-9_-]+$");
+    }
+    @if (isValidMapsApiKey)
     {
         <script async defer
-            src="https://maps.googleapis.com/maps/api/js?key=@Configuration["Google:MapsApiKey"]&signed_in=false&callback=initMap"></script>
+            src="https://maps.googleapis.com/maps/api/js?key=@mapsApiKey&signed_in=false&callback=initMap"></script>
     }
 }

src/XtremeIdiots.Portal.Web/Views/Servers/ServerInfo.cshtml

@@ -301,7 +301,11 @@
 @section Scripts {
     <script src="~/js/server-info.js" asp-append-version="true"></script>
 
-    @if (Model.GameServer.LivePlayers.Any() && !string.IsNullOrEmpty(Configuration["Google:MapsApiKey"]))
+    @{
+        var mapsApiKey = Configuration["Google:MapsApiKey"];
+        var isValidMapsApiKey = !string.IsNullOrEmpty(mapsApiKey) && System.Text.RegularExpressions.Regex.IsMatch(mapsApiKey, @"^[A-Za-z0-9_-]+$");
+    }
+    @if (Model.GameServer.LivePlayers.Any() && isValidMapsApiKey)
     {
         <script>
             function initMap() {
@@ -337,7 +341,7 @@
         </script>
 
         <script async defer
-            src="https://maps.googleapis.com/maps/api/js?key=@Configuration["Google:MapsApiKey"]&signed_in=false&callback=initMap"></script>
+            src="https://maps.googleapis.com/maps/api/js?key=@mapsApiKey&signed_in=false&callback=initMap"></script>
     }
 
     <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>

src/XtremeIdiots.Portal.Web/Views/Shared/_Layout.cshtml

@@ -5,15 +5,19 @@
 
 <head>
     <!-- Global site tag (gtag.js) - Google Analytics -->
-    @if (!string.IsNullOrEmpty(Configuration["Google:AnalyticsId"]))
+    @{
+        var analyticsId = Configuration["Google:AnalyticsId"];
+        var isValidAnalyticsId = !string.IsNullOrEmpty(analyticsId) && System.Text.RegularExpressions.Regex.IsMatch(analyticsId, @"^G-[A-Z0-9]+$");
+    }
+    @if (isValidAnalyticsId)
     {
-        <script async src="https://www.googletagmanager.com/gtag/js?id=@Configuration["Google:AnalyticsId"]"></script>
+        <script async src="https://www.googletagmanager.com/gtag/js?id=@analyticsId"></script>
         <script>
             window.dataLayer = window.dataLayer || [];
             function gtag() { dataLayer.push(arguments); }
             gtag('js', new Date());
 
-            gtag('config', '@Configuration["Google:AnalyticsId"]');
+            gtag('config', '@analyticsId');
         </script>
     }