From 7b20ab34039d5a03c27c73733aa4f47164fec020 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Mon, 15 Nov 2021 15:22:24 +0100
Subject: [PATCH 01/15] Malformed CIDs do not pass URL validation of nginx.

Documentation needs 400 for all inputs, so we loose currently a more
specific message. Alternative is duplication of code.
---
 webapp/src/Controller/API/AwardsController.php        | 1 +
 webapp/src/Controller/API/BalloonController.php       | 1 +
 webapp/src/Controller/API/ClarificationController.php | 1 +
 webapp/src/Controller/API/ContestController.php       | 5 +----
 webapp/src/Controller/API/GeneralInfoController.php   | 1 +
 webapp/src/Controller/API/GroupController.php         | 1 +
 webapp/src/Controller/API/JudgehostController.php     | 1 +
 webapp/src/Controller/API/JudgementController.php     | 1 +
 webapp/src/Controller/API/JudgementTypeController.php | 1 +
 webapp/src/Controller/API/LanguageController.php      | 1 +
 webapp/src/Controller/API/OrganizationController.php  | 1 +
 webapp/src/Controller/API/ProblemController.php       | 1 +
 webapp/src/Controller/API/RunController.php           | 1 +
 webapp/src/Controller/API/ScoreboardController.php    | 1 +
 webapp/src/Controller/API/SubmissionController.php    | 1 +
 webapp/src/Controller/API/TeamController.php          | 1 +
 webapp/src/Controller/API/UserController.php          | 1 +
 17 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/webapp/src/Controller/API/AwardsController.php b/webapp/src/Controller/API/AwardsController.php
index f1a943a042..ca50278eac 100644
--- a/webapp/src/Controller/API/AwardsController.php
+++ b/webapp/src/Controller/API/AwardsController.php
@@ -25,6 +25,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class AwardsController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/BalloonController.php b/webapp/src/Controller/API/BalloonController.php
index e04ed5b4f9..04d27d3697 100644
--- a/webapp/src/Controller/API/BalloonController.php
+++ b/webapp/src/Controller/API/BalloonController.php
@@ -19,6 +19,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  * @Security("is_granted('ROLE_JURY') or is_granted('ROLE_API_READER') or is_granted('ROLE_BALLOON')")
  */
 class BalloonController extends AbstractRestController
diff --git a/webapp/src/Controller/API/ClarificationController.php b/webapp/src/Controller/API/ClarificationController.php
index b7dfcada56..6fbc8c8c74 100644
--- a/webapp/src/Controller/API/ClarificationController.php
+++ b/webapp/src/Controller/API/ClarificationController.php
@@ -25,6 +25,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ClarificationController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/ContestController.php b/webapp/src/Controller/API/ContestController.php
index d0b795213d..4827c1b6a2 100644
--- a/webapp/src/Controller/API/ContestController.php
+++ b/webapp/src/Controller/API/ContestController.php
@@ -41,6 +41,7 @@
  * @OA\Tag(name="Contests")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ContestController extends AbstractRestController
 {
@@ -332,10 +333,6 @@ public function setBannerAction(Request $request, string $id, ValidatorInterface
      *     description="Contest start time changed successfully",
      * )
      * @OA\Response(
-     *     response="400",
-     *     description="Invalid input data"
-     * )
-     * @OA\Response(
      *     response="403",
      *     description="Changing start time not allowed"
      * )
diff --git a/webapp/src/Controller/API/GeneralInfoController.php b/webapp/src/Controller/API/GeneralInfoController.php
index 4a8342a38a..02fda2a5f9 100644
--- a/webapp/src/Controller/API/GeneralInfoController.php
+++ b/webapp/src/Controller/API/GeneralInfoController.php
@@ -29,6 +29,7 @@
 
 /**
  * @OA\Tag(name="General")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class GeneralInfoController extends AbstractFOSRestController
 {
diff --git a/webapp/src/Controller/API/GroupController.php b/webapp/src/Controller/API/GroupController.php
index 703bdb96d0..cadde2f667 100644
--- a/webapp/src/Controller/API/GroupController.php
+++ b/webapp/src/Controller/API/GroupController.php
@@ -22,6 +22,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class GroupController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/JudgehostController.php b/webapp/src/Controller/API/JudgehostController.php
index b2b925a772..b5c253158b 100644
--- a/webapp/src/Controller/API/JudgehostController.php
+++ b/webapp/src/Controller/API/JudgehostController.php
@@ -50,6 +50,7 @@
 /**
  * @Rest\Route("/judgehosts")
  * @OA\Tag(name="Judgehosts")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class JudgehostController extends AbstractFOSRestController
 {
diff --git a/webapp/src/Controller/API/JudgementController.php b/webapp/src/Controller/API/JudgementController.php
index 564bc3269f..4d53344b37 100644
--- a/webapp/src/Controller/API/JudgementController.php
+++ b/webapp/src/Controller/API/JudgementController.php
@@ -25,6 +25,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class JudgementController extends AbstractRestController implements QueryObjectTransformer
 {
diff --git a/webapp/src/Controller/API/JudgementTypeController.php b/webapp/src/Controller/API/JudgementTypeController.php
index bd63d4fcd8..4648fe7272 100644
--- a/webapp/src/Controller/API/JudgementTypeController.php
+++ b/webapp/src/Controller/API/JudgementTypeController.php
@@ -15,6 +15,7 @@
 /**
  * @Rest\Route("/contests/{cid}/judgement-types")
  * @OA\Tag(name="Judgement types")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class JudgementTypeController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/LanguageController.php b/webapp/src/Controller/API/LanguageController.php
index 1bcb6e2df2..d41ac117a2 100644
--- a/webapp/src/Controller/API/LanguageController.php
+++ b/webapp/src/Controller/API/LanguageController.php
@@ -18,6 +18,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class LanguageController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/OrganizationController.php b/webapp/src/Controller/API/OrganizationController.php
index 47919cbd8d..2b14f4f71c 100644
--- a/webapp/src/Controller/API/OrganizationController.php
+++ b/webapp/src/Controller/API/OrganizationController.php
@@ -34,6 +34,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class OrganizationController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/ProblemController.php b/webapp/src/Controller/API/ProblemController.php
index 223f10095b..c86dfa34b9 100644
--- a/webapp/src/Controller/API/ProblemController.php
+++ b/webapp/src/Controller/API/ProblemController.php
@@ -32,6 +32,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ProblemController extends AbstractRestController implements QueryObjectTransformer
 {
diff --git a/webapp/src/Controller/API/RunController.php b/webapp/src/Controller/API/RunController.php
index 37c225b561..d49c7dff25 100644
--- a/webapp/src/Controller/API/RunController.php
+++ b/webapp/src/Controller/API/RunController.php
@@ -25,6 +25,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class RunController extends AbstractRestController implements QueryObjectTransformer
 {
diff --git a/webapp/src/Controller/API/ScoreboardController.php b/webapp/src/Controller/API/ScoreboardController.php
index 82ab1e1d23..95a43752a4 100644
--- a/webapp/src/Controller/API/ScoreboardController.php
+++ b/webapp/src/Controller/API/ScoreboardController.php
@@ -28,6 +28,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ScoreboardController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/SubmissionController.php b/webapp/src/Controller/API/SubmissionController.php
index a721edba38..1cb1316c24 100644
--- a/webapp/src/Controller/API/SubmissionController.php
+++ b/webapp/src/Controller/API/SubmissionController.php
@@ -38,6 +38,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class SubmissionController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/TeamController.php b/webapp/src/Controller/API/TeamController.php
index 5ae71c9d48..e6a1ae76f4 100644
--- a/webapp/src/Controller/API/TeamController.php
+++ b/webapp/src/Controller/API/TeamController.php
@@ -33,6 +33,7 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class TeamController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/UserController.php b/webapp/src/Controller/API/UserController.php
index a14fff55a0..1ee2f4a034 100644
--- a/webapp/src/Controller/API/UserController.php
+++ b/webapp/src/Controller/API/UserController.php
@@ -28,6 +28,7 @@
  * @OA\Tag(name="Users")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class UserController extends AbstractRestController
 {

From ff3ad050938fae955ba89b67d62a76069f62106e Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Tue, 16 Nov 2021 22:21:50 +0100
Subject: [PATCH 02/15] Run mayhem on forks

---
 .github/workflows/mayhem-api.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/mayhem-api.yml b/.github/workflows/mayhem-api.yml
index 6f4b8d7f36..acf379c8f1 100644
--- a/.github/workflows/mayhem-api.yml
+++ b/.github/workflows/mayhem-api.yml
@@ -1,6 +1,10 @@
 name: "Mayhem API analysis"
 
 on:
+  push:
+    branches: [ main ]
+  pull_request_target:
+    branches: [ main ]
   schedule:
     - cron: '5 21 * * *'
 

From fbfda7dfe767a9b900f1d9dbbd30d357517cef08 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Fri, 5 Nov 2021 00:04:10 +0100
Subject: [PATCH 03/15] Scan the OpenAPI definition for issues

We explicit only check our own API and remove all other json files.

This does need an account with 42Crunch as explained in the github
action.
---
 .github/workflows/crunch42-analysis.yml | 42 +++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/crunch42-analysis.yml

diff --git a/.github/workflows/crunch42-analysis.yml b/.github/workflows/crunch42-analysis.yml
new file mode 100644
index 0000000000..ac13fe8fab
--- /dev/null
+++ b/.github/workflows/crunch42-analysis.yml
@@ -0,0 +1,42 @@
+name: "42Crunch REST API Static Security Testing"
+
+# follow standard Code Scanning triggers
+on:
+  push:
+    branches: [ main ]
+  pull_request_target:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '19 4 * * 3'
+
+jobs:
+  rest-api-static-security-testing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install DOMjudge
+        run: .github/workflowscripts/baseinstall.sh
+
+      - name: Dump the OpenAPI
+        run: .github/workflowscripts/getapi.sh
+
+      - name: Find all other JSON files and delete those
+        run: |
+          rm -rf ./installdir/domserver/lib/vendor ./lib/vendor
+          rm -f ./doc/manual/sphinx-team.json ./doc/manual/sphinx-team.json
+          find ./ -name "*.json"
+
+      - name: 42Crunch REST API Static Security Testing
+        uses: 42Crunch/api-security-audit-action@v1
+        with:
+          # Follow these steps to configure API_SECRET https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+          api-token: ${{ secrets.API_SECRET }}
+          min-score: 9
+          # Upload results to Github code scanning
+          upload-to-code-scanning: true
+          # Github token for uploading the results
+          github-token: ${{ github.token }}
+          ignore-failures: false
+

From da3c58c3c59ccf841b8f92a239fc72065fa3f78c Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Tue, 16 Nov 2021 18:56:33 +0100
Subject: [PATCH 04/15] Add annotation for fetching of judgetasks

---
 .../Controller/API/JudgehostController.php    | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/webapp/src/Controller/API/JudgehostController.php b/webapp/src/Controller/API/JudgehostController.php
index b5c253158b..ff287f0c56 100644
--- a/webapp/src/Controller/API/JudgehostController.php
+++ b/webapp/src/Controller/API/JudgehostController.php
@@ -1324,6 +1324,44 @@ private function getTestcaseFiles(string $id): array
     /**
      * Fetch work tasks.
      * @Rest\Post("/fetch-work")
+     * @OA\RequestBody(
+     *   description="The hostname of the judgedaemon requesting.",
+     *   @OA\JsonContent(
+     *      required={"hostname"},
+     *      @OA\Property(
+     *          property="hostname",
+     *          type="string",
+     *          format="string",
+     *          description="Hostname of judgedaemon"
+     *      ),
+     *      @OA\Property(
+     *          property="max-batchsize",
+     *          type="integer",
+     *          format="integer",
+     *          description="Maximum size judge requests to handle"
+     *      ),
+     *      @OA\Schema(
+     *          @OA\Property(
+     *              property="hostname",
+     *              type="string",
+     *              format="string",
+     *              description="Hostname of judgedaemon"
+     *          ),
+     *          @OA\Property(
+     *              property="max-batchsize",
+     *              type="integer",
+     *              format="integer",
+     *              description="Maximum size judge requests to handle"
+     *          ),
+     *     ),
+     *     @OA\Examples(example="example-data", value={"hostname": "example-judgehost1"}, summary="Fetch work with example judgedaemon."),
+     *   )
+     * )
+     * @OA\Response(
+     *     response="200",
+     *     description="List of judgeTasks.",
+     *     @OA\Schema(ref="#/definitions/JudgeTaskList")
+     * )
      * @Security("is_granted('ROLE_JUDGEHOST')")
      */
     public function getJudgeTasksAction(Request $request): array

From 42dbffed2c81208a48a0d5d63dd004f99c4b34c1 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Tue, 16 Nov 2021 22:47:50 +0100
Subject: [PATCH 05/15] Based on the value for externalID

---
 webapp/config/packages/nelmio_api_doc.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/webapp/config/packages/nelmio_api_doc.yaml b/webapp/config/packages/nelmio_api_doc.yaml
index 0c6f395ad9..8b48972fae 100644
--- a/webapp/config/packages/nelmio_api_doc.yaml
+++ b/webapp/config/packages/nelmio_api_doc.yaml
@@ -19,6 +19,8 @@ nelmio_api_doc:
                     required: true
                     schema:
                         type: string
+                        pattern: "^[A-Za-z0-9]{1,255}$"
+                        maxLength: 255
                     examples:
                         int0:
                             value: "2"

From 9e830a4c05c10656ed600f9ab994b8827e2cf33d Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Tue, 16 Nov 2021 23:47:40 +0100
Subject: [PATCH 06/15] Assume the size of the externalId

---
 webapp/config/packages/nelmio_api_doc.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/webapp/config/packages/nelmio_api_doc.yaml b/webapp/config/packages/nelmio_api_doc.yaml
index 8b48972fae..f6795f1e00 100644
--- a/webapp/config/packages/nelmio_api_doc.yaml
+++ b/webapp/config/packages/nelmio_api_doc.yaml
@@ -49,6 +49,8 @@ nelmio_api_doc:
                     required: true
                     schema:
                         type: string
+                        pattern: "^[A-Za-z0-9]{1,255}$"
+                        maxLength: 255
                     examples:
                         generic:
                             value: "1"

From 905f4cb3cd30940ab4697714065cf6d4096483af Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Tue, 16 Nov 2021 23:47:15 +0100
Subject: [PATCH 07/15] Limit the ids based on the Entity value

---
 webapp/config/packages/nelmio_api_doc.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/webapp/config/packages/nelmio_api_doc.yaml b/webapp/config/packages/nelmio_api_doc.yaml
index f6795f1e00..34536566e1 100644
--- a/webapp/config/packages/nelmio_api_doc.yaml
+++ b/webapp/config/packages/nelmio_api_doc.yaml
@@ -38,6 +38,8 @@ nelmio_api_doc:
                     required: true
                     schema:
                         type: integer
+                        minimum: 1
+                        maximum: 9999
                     examples:
                         balloon:
                             value: 1

From dde46529ea588792ea97f5ae1ed13b15765a778a Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Tue, 16 Nov 2021 23:48:13 +0100
Subject: [PATCH 08/15] Assume that the idList followes the sizes of the id
 above

---
 webapp/config/packages/nelmio_api_doc.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/webapp/config/packages/nelmio_api_doc.yaml b/webapp/config/packages/nelmio_api_doc.yaml
index 34536566e1..537fbd3124 100644
--- a/webapp/config/packages/nelmio_api_doc.yaml
+++ b/webapp/config/packages/nelmio_api_doc.yaml
@@ -50,6 +50,7 @@ nelmio_api_doc:
                     description: The ID of the entity to get
                     required: true
                     schema:
+                        $ref: "#/components/schemas/Id"
                         type: string
                         pattern: "^[A-Za-z0-9]{1,255}$"
                         maxLength: 255
@@ -74,8 +75,7 @@ nelmio_api_doc:
                     schema:
                         type: array
                         items:
-                            type: string
-                            description: A single ID
+                            $ref: "#/components/schemas/Id"
                 strict:
                     name: strict
                     in: query
@@ -103,6 +103,10 @@ nelmio_api_doc:
                             schema:
                                 type: string
             schemas:
+                Id:
+                    type: string
+                    pattern: "^[A-Za-z0-9]{1,255}$"
+                    maxLength: 255
                 ImageList:
                     type: array
                     items:

From 2f928635d10869b148f10f81579b341292b47fe3 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Wed, 17 Nov 2021 15:11:02 +0100
Subject: [PATCH 09/15] Revert "Malformed CIDs do not pass URL validation of
 nginx."

This reverts commit 33a5dfff40a8de9c797c1891a5dba54ac96cb481.
---
 webapp/src/Controller/API/AwardsController.php        | 1 -
 webapp/src/Controller/API/BalloonController.php       | 1 -
 webapp/src/Controller/API/ClarificationController.php | 1 -
 webapp/src/Controller/API/ContestController.php       | 5 ++++-
 webapp/src/Controller/API/GeneralInfoController.php   | 1 -
 webapp/src/Controller/API/GroupController.php         | 1 -
 webapp/src/Controller/API/JudgehostController.php     | 1 -
 webapp/src/Controller/API/JudgementController.php     | 1 -
 webapp/src/Controller/API/JudgementTypeController.php | 1 -
 webapp/src/Controller/API/LanguageController.php      | 1 -
 webapp/src/Controller/API/OrganizationController.php  | 1 -
 webapp/src/Controller/API/ProblemController.php       | 1 -
 webapp/src/Controller/API/RunController.php           | 1 -
 webapp/src/Controller/API/ScoreboardController.php    | 1 -
 webapp/src/Controller/API/SubmissionController.php    | 1 -
 webapp/src/Controller/API/TeamController.php          | 1 -
 webapp/src/Controller/API/UserController.php          | 1 -
 17 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/webapp/src/Controller/API/AwardsController.php b/webapp/src/Controller/API/AwardsController.php
index ca50278eac..f1a943a042 100644
--- a/webapp/src/Controller/API/AwardsController.php
+++ b/webapp/src/Controller/API/AwardsController.php
@@ -25,7 +25,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class AwardsController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/BalloonController.php b/webapp/src/Controller/API/BalloonController.php
index 04d27d3697..e04ed5b4f9 100644
--- a/webapp/src/Controller/API/BalloonController.php
+++ b/webapp/src/Controller/API/BalloonController.php
@@ -19,7 +19,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  * @Security("is_granted('ROLE_JURY') or is_granted('ROLE_API_READER') or is_granted('ROLE_BALLOON')")
  */
 class BalloonController extends AbstractRestController
diff --git a/webapp/src/Controller/API/ClarificationController.php b/webapp/src/Controller/API/ClarificationController.php
index 6fbc8c8c74..b7dfcada56 100644
--- a/webapp/src/Controller/API/ClarificationController.php
+++ b/webapp/src/Controller/API/ClarificationController.php
@@ -25,7 +25,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ClarificationController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/ContestController.php b/webapp/src/Controller/API/ContestController.php
index 4827c1b6a2..d0b795213d 100644
--- a/webapp/src/Controller/API/ContestController.php
+++ b/webapp/src/Controller/API/ContestController.php
@@ -41,7 +41,6 @@
  * @OA\Tag(name="Contests")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ContestController extends AbstractRestController
 {
@@ -333,6 +332,10 @@ public function setBannerAction(Request $request, string $id, ValidatorInterface
      *     description="Contest start time changed successfully",
      * )
      * @OA\Response(
+     *     response="400",
+     *     description="Invalid input data"
+     * )
+     * @OA\Response(
      *     response="403",
      *     description="Changing start time not allowed"
      * )
diff --git a/webapp/src/Controller/API/GeneralInfoController.php b/webapp/src/Controller/API/GeneralInfoController.php
index 02fda2a5f9..4a8342a38a 100644
--- a/webapp/src/Controller/API/GeneralInfoController.php
+++ b/webapp/src/Controller/API/GeneralInfoController.php
@@ -29,7 +29,6 @@
 
 /**
  * @OA\Tag(name="General")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class GeneralInfoController extends AbstractFOSRestController
 {
diff --git a/webapp/src/Controller/API/GroupController.php b/webapp/src/Controller/API/GroupController.php
index cadde2f667..703bdb96d0 100644
--- a/webapp/src/Controller/API/GroupController.php
+++ b/webapp/src/Controller/API/GroupController.php
@@ -22,7 +22,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class GroupController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/JudgehostController.php b/webapp/src/Controller/API/JudgehostController.php
index ff287f0c56..d189b60f1d 100644
--- a/webapp/src/Controller/API/JudgehostController.php
+++ b/webapp/src/Controller/API/JudgehostController.php
@@ -50,7 +50,6 @@
 /**
  * @Rest\Route("/judgehosts")
  * @OA\Tag(name="Judgehosts")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class JudgehostController extends AbstractFOSRestController
 {
diff --git a/webapp/src/Controller/API/JudgementController.php b/webapp/src/Controller/API/JudgementController.php
index 4d53344b37..564bc3269f 100644
--- a/webapp/src/Controller/API/JudgementController.php
+++ b/webapp/src/Controller/API/JudgementController.php
@@ -25,7 +25,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class JudgementController extends AbstractRestController implements QueryObjectTransformer
 {
diff --git a/webapp/src/Controller/API/JudgementTypeController.php b/webapp/src/Controller/API/JudgementTypeController.php
index 4648fe7272..bd63d4fcd8 100644
--- a/webapp/src/Controller/API/JudgementTypeController.php
+++ b/webapp/src/Controller/API/JudgementTypeController.php
@@ -15,7 +15,6 @@
 /**
  * @Rest\Route("/contests/{cid}/judgement-types")
  * @OA\Tag(name="Judgement types")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class JudgementTypeController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/LanguageController.php b/webapp/src/Controller/API/LanguageController.php
index d41ac117a2..1bcb6e2df2 100644
--- a/webapp/src/Controller/API/LanguageController.php
+++ b/webapp/src/Controller/API/LanguageController.php
@@ -18,7 +18,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class LanguageController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/OrganizationController.php b/webapp/src/Controller/API/OrganizationController.php
index 2b14f4f71c..47919cbd8d 100644
--- a/webapp/src/Controller/API/OrganizationController.php
+++ b/webapp/src/Controller/API/OrganizationController.php
@@ -34,7 +34,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class OrganizationController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/ProblemController.php b/webapp/src/Controller/API/ProblemController.php
index c86dfa34b9..223f10095b 100644
--- a/webapp/src/Controller/API/ProblemController.php
+++ b/webapp/src/Controller/API/ProblemController.php
@@ -32,7 +32,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ProblemController extends AbstractRestController implements QueryObjectTransformer
 {
diff --git a/webapp/src/Controller/API/RunController.php b/webapp/src/Controller/API/RunController.php
index d49c7dff25..37c225b561 100644
--- a/webapp/src/Controller/API/RunController.php
+++ b/webapp/src/Controller/API/RunController.php
@@ -25,7 +25,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class RunController extends AbstractRestController implements QueryObjectTransformer
 {
diff --git a/webapp/src/Controller/API/ScoreboardController.php b/webapp/src/Controller/API/ScoreboardController.php
index 95a43752a4..82ab1e1d23 100644
--- a/webapp/src/Controller/API/ScoreboardController.php
+++ b/webapp/src/Controller/API/ScoreboardController.php
@@ -28,7 +28,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class ScoreboardController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/SubmissionController.php b/webapp/src/Controller/API/SubmissionController.php
index 1cb1316c24..a721edba38 100644
--- a/webapp/src/Controller/API/SubmissionController.php
+++ b/webapp/src/Controller/API/SubmissionController.php
@@ -38,7 +38,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class SubmissionController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/TeamController.php b/webapp/src/Controller/API/TeamController.php
index e6a1ae76f4..5ae71c9d48 100644
--- a/webapp/src/Controller/API/TeamController.php
+++ b/webapp/src/Controller/API/TeamController.php
@@ -33,7 +33,6 @@
  * @OA\Parameter(ref="#/components/parameters/cid")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class TeamController extends AbstractRestController
 {
diff --git a/webapp/src/Controller/API/UserController.php b/webapp/src/Controller/API/UserController.php
index 1ee2f4a034..a14fff55a0 100644
--- a/webapp/src/Controller/API/UserController.php
+++ b/webapp/src/Controller/API/UserController.php
@@ -28,7 +28,6 @@
  * @OA\Tag(name="Users")
  * @OA\Response(response="404", ref="#/components/responses/NotFound")
  * @OA\Response(response="401", ref="#/components/responses/Unauthorized")
- * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class UserController extends AbstractRestController
 {

From 9b112444a5dcc95e59ddeb84d0c132f5deef30b8 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Wed, 17 Nov 2021 21:17:16 +0100
Subject: [PATCH 10/15] stash

---
 webapp/config/packages/nelmio_api_doc.yaml      |   2 +-
 .../Controller/API/AbstractRestController.php   |   1 +
 webapp/src/Controller/API/ContestController.php |   4 ----
 .../Controller/API/GeneralInfoController.php    |   1 +
 .../.FlattenExceptionHandler.php.swp            | Bin 0 -> 12288 bytes
 5 files changed, 3 insertions(+), 5 deletions(-)
 create mode 100644 webapp/src/FosRestBundle/.FlattenExceptionHandler.php.swp

diff --git a/webapp/config/packages/nelmio_api_doc.yaml b/webapp/config/packages/nelmio_api_doc.yaml
index 537fbd3124..949dfe02b0 100644
--- a/webapp/config/packages/nelmio_api_doc.yaml
+++ b/webapp/config/packages/nelmio_api_doc.yaml
@@ -9,7 +9,7 @@ nelmio_api_doc:
         components:
             securitySchemes:
                 basicAuth:
-                    type: http
+                    type: https
                     scheme: basic
             parameters:
                 cid:
diff --git a/webapp/src/Controller/API/AbstractRestController.php b/webapp/src/Controller/API/AbstractRestController.php
index bb15531199..3fefa5da9c 100644
--- a/webapp/src/Controller/API/AbstractRestController.php
+++ b/webapp/src/Controller/API/AbstractRestController.php
@@ -25,6 +25,7 @@
 
 /**
  * Class AbstractRestController
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  * @package App\Controller\API
  */
 abstract class AbstractRestController extends AbstractFOSRestController
diff --git a/webapp/src/Controller/API/ContestController.php b/webapp/src/Controller/API/ContestController.php
index d0b795213d..89363ca5ca 100644
--- a/webapp/src/Controller/API/ContestController.php
+++ b/webapp/src/Controller/API/ContestController.php
@@ -332,10 +332,6 @@ public function setBannerAction(Request $request, string $id, ValidatorInterface
      *     description="Contest start time changed successfully",
      * )
      * @OA\Response(
-     *     response="400",
-     *     description="Invalid input data"
-     * )
-     * @OA\Response(
      *     response="403",
      *     description="Changing start time not allowed"
      * )
diff --git a/webapp/src/Controller/API/GeneralInfoController.php b/webapp/src/Controller/API/GeneralInfoController.php
index 4a8342a38a..02fda2a5f9 100644
--- a/webapp/src/Controller/API/GeneralInfoController.php
+++ b/webapp/src/Controller/API/GeneralInfoController.php
@@ -29,6 +29,7 @@
 
 /**
  * @OA\Tag(name="General")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class GeneralInfoController extends AbstractFOSRestController
 {
diff --git a/webapp/src/FosRestBundle/.FlattenExceptionHandler.php.swp b/webapp/src/FosRestBundle/.FlattenExceptionHandler.php.swp
new file mode 100644
index 0000000000000000000000000000000000000000..740b4fd8d985bfe21ac5e7377c49174b4f9e77f3
GIT binary patch
literal 12288
zcmeI2&u<$=6vrn>2nr-EAhp*4EZK>YIw?JX^NWyQb-_s+J5fa(g|$7gx2$(pGqXuU
z68H<aRpN*Qr@{q}6d@2CdjN6Zz=@v9k0ac;@SWXRd%dyCnQB)0*xsEtZ{GX9nOQ}d
z+T>QTL|?f$MR1)X<iQ8h`t<K1a(0}M_P!+q3%F`}*tN7=extH}ZQ^=qv$V3hI?(jJ
z*kQhD%Y4IY-wYZ}mOo%M%lGqw*Yhi$*kD4w9=HvM<yRa_O6D%#sxx2Oo_obokNHKv
z<qsUgG#CYp0)rG7CNE!_npCYXz4!us{<+OThUU3Zz$jo8FbWt2i~>dhqkvJsDDVg>
zApIfoKJt1@=XPCx52e2Kt@$zv7zK<1MggOMQNSo*6fg=H1&jhl0i%FX;D4xq)ga`j
z#|gRg1cJx^|Kq>^@1G^)SMWXf4txlXz&f}9{um+TGjI%!zya6-WpEixf<K1|`5pWK
zz5;ha8#KWTxB#97=fKa;5b`7V27CeD1~cFc_~mIr?tyQ?UGOEi4Q#Lk^58re0bf5w
z$Q|$r_!yjk8(<zxf`87y2e<<`Xn`ge0mI<_lZ1Q@J_0wu8YqER!Fli(bovcE0QbOc
zumj3q0~Ekzp!A#q<}wNx1&jhlfk#Dw6GCxCpXwK9GT<)Fa3%srP7|UYs;g_F?sWTh
zR&uM(vO9E^W>|c(ZDOv;WJNXPMyH7~kFQR*x`V@b{kkoxhGaK;kLEJ6Ws8Zq2CD_l
zQF_!3YNywIw#|gFnk-9a=V(UXjFWhD^_{JI4c#uJB?GaD`>u%&5b11pM@glw{lW&P
z`+Uz8tWd~A&MNGd6x;endETM(^EAsi_jtA&>j`C!U`QkxSsd?aDN9jSr&JLw??AWF
z<6}BdrA*Qgg^JYFX^4{LPt2j*p0m$ZxYrIVux7PcE>%%o8kDpXcS@PAqNkH6chpYi
z(O-#PKXuQQ&^4S@3sQ2s7D$%MMn=0~JrmO`oG+a&ElUjQq9&5kf3!d?&aJ~lIToW4
zX-50$<eNUjnV9s^9P+unZ%Ib?0=KRXc~W@TXIxgi1vN%4k}f5iJoH&2gLnz<+rpL}
zpO_1OME!N`QeL}-8t=qB8U++*sWKgyR+N86#nD{~|Cy_Dc~y9BnQ_~4>~}4d@KzKw
z&FJX0EJ4k&>s?iZ?!qdb@^DI))Vkj3Mx_Q-7nZtgd5v(TXH)L7eauyEp>aB`LLuCX
z`gGazc-xZE2saUBKer8=v#`*i*($gE)|$0%H!T#dh-u6BunQInOT~@l#Y%B~ZMVF<
zQCxVl_|}5D>m78Pgqh((&w%JbG)w(RK{e@<LSmyW2Q^X0qOjd&Dbxhpr=HU3*_PZP
z^jO#q!fkcBGx+K4K`rLQZV{RGgw>huyI7B|kUXf%T<4_omgNKt+f0v_aa!{{M~^-l
zMH;W3WJsN7JrNv{uxd12O?{}E+HK!qZRScr6Z+`ZPGJZg%LDqFZ`I$ydxI|cepRg!
z?m0M`U0t|VM6<F8_r5`+k^I;gApv&u@?m?=a}VL8jTZxkuU?VTU-57PJX{^s_>D0=
zz<gP~DRh|Cj)2v4no;+wrE)c1e28|?TI_2akMR(7`t}<z#rxXo{U&N#Sud;X^=bI(
xrnH@Ig7FN&tHs5eN1z^2F?x>BqjhE;$K`2*q57QVFwyL~+*NB^%uZno{TGZ~4PXEO

literal 0
HcmV?d00001


From c9d019586431065e6fb90c29649e5371ef141511 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Mon, 24 Jan 2022 14:50:05 +0100
Subject: [PATCH 11/15] Remove CWE134 error

---
 lib/lib.error.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/lib.error.c b/lib/lib.error.c
index 6ecee19198..ee7acdc50e 100644
--- a/lib/lib.error.c
+++ b/lib/lib.error.c
@@ -109,12 +109,12 @@ void vlogmsg(int msglevel, const char *mesg, va_list ap)
 	progname_escaped = printf_escape(progname);
 	if ( progname_escaped==NULL ) abort();
 
-	bufferlen = strlen(timestring)+strlen(progname_escaped)+strlen(mesg)+20;
+	bufferlen = strlen(timestring)+strlen(mesg)+20;
 	buffer = (char *)malloc(bufferlen);
 	if ( buffer==NULL ) abort();
 
-	snprintf(buffer, bufferlen, "[%s] %s[%d]: %s\n",
-	         timestring, progname_escaped, getpid(), mesg);
+	snprintf(buffer, bufferlen, "[%s] [%d]: %s\n",
+	         timestring, getpid(), mesg);
 
 	free(progname_escaped);
 

From d02b0f552d496cc5fc1b645e050c71943d85d6bc Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Mon, 24 Jan 2022 15:04:50 +0100
Subject: [PATCH 12/15] Revert "Remove CWE134 error"

This reverts commit c9d019586431065e6fb90c29649e5371ef141511.
---
 lib/lib.error.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/lib.error.c b/lib/lib.error.c
index ee7acdc50e..6ecee19198 100644
--- a/lib/lib.error.c
+++ b/lib/lib.error.c
@@ -109,12 +109,12 @@ void vlogmsg(int msglevel, const char *mesg, va_list ap)
 	progname_escaped = printf_escape(progname);
 	if ( progname_escaped==NULL ) abort();
 
-	bufferlen = strlen(timestring)+strlen(mesg)+20;
+	bufferlen = strlen(timestring)+strlen(progname_escaped)+strlen(mesg)+20;
 	buffer = (char *)malloc(bufferlen);
 	if ( buffer==NULL ) abort();
 
-	snprintf(buffer, bufferlen, "[%s] [%d]: %s\n",
-	         timestring, getpid(), mesg);
+	snprintf(buffer, bufferlen, "[%s] %s[%d]: %s\n",
+	         timestring, progname_escaped, getpid(), mesg);
 
 	free(progname_escaped);
 

From 7c716a4a85315640117546ecc84d6f4025fa3f44 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Mon, 24 Jan 2022 15:26:12 +0100
Subject: [PATCH 13/15] Remove all formatting from string

Replace everything to just 1 long string of chars
---
 lib/lib.error.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/lib.error.c b/lib/lib.error.c
index 6ecee19198..cbd978cf48 100644
--- a/lib/lib.error.c
+++ b/lib/lib.error.c
@@ -78,6 +78,7 @@ void vlogmsg(int msglevel, const char *mesg, va_list ap)
 	struct tm tm_buf;
 	char timestring[128];
 	char *progname_escaped;
+	char *progname_unformatted;
 	char *buffer;
 	int bufferlen;
 	va_list aq;
@@ -112,10 +113,22 @@ void vlogmsg(int msglevel, const char *mesg, va_list ap)
 	bufferlen = strlen(timestring)+strlen(progname_escaped)+strlen(mesg)+20;
 	buffer = (char *)malloc(bufferlen);
 	if ( buffer==NULL ) abort();
+	progname_unformatted = (char *)malloc(1+2*strlen(progname_escaped));
+	size_t str_tmp_pos, esc_tmp_pos;
+	char ctmp;
+	for(str_tmp_pos=0; str_tmp_pos<strlen(progname_escaped); str_tmp_pos++) {
+		ctmp = progname_escaped[str_tmp_pos];
+		if ( ctmp!='%' ) {
+			progname_unformatted[esc_tmp_pos++] = 'c';
+			progname_unformatted[esc_tmp_pos++] = ctmp;
+		}
+	}
+	progname_unformatted[esc_tmp_pos] = 0; 
 
 	snprintf(buffer, bufferlen, "[%s] %s[%d]: %s\n",
-	         timestring, progname_escaped, getpid(), mesg);
+	         timestring, progname_unformatted, getpid(), mesg);
 
+	free(progname_unformatted);
 	free(progname_escaped);
 
 	if ( msglevel<=verbose ) {

From 44ddec1da028f1eb20df8a19ad8b25f80a7704b3 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Mon, 24 Jan 2022 16:35:53 +0100
Subject: [PATCH 14/15] Revert "Remove all formatting from string"

This reverts commit 7c716a4a85315640117546ecc84d6f4025fa3f44.
---
 lib/lib.error.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/lib/lib.error.c b/lib/lib.error.c
index cbd978cf48..6ecee19198 100644
--- a/lib/lib.error.c
+++ b/lib/lib.error.c
@@ -78,7 +78,6 @@ void vlogmsg(int msglevel, const char *mesg, va_list ap)
 	struct tm tm_buf;
 	char timestring[128];
 	char *progname_escaped;
-	char *progname_unformatted;
 	char *buffer;
 	int bufferlen;
 	va_list aq;
@@ -113,22 +112,10 @@ void vlogmsg(int msglevel, const char *mesg, va_list ap)
 	bufferlen = strlen(timestring)+strlen(progname_escaped)+strlen(mesg)+20;
 	buffer = (char *)malloc(bufferlen);
 	if ( buffer==NULL ) abort();
-	progname_unformatted = (char *)malloc(1+2*strlen(progname_escaped));
-	size_t str_tmp_pos, esc_tmp_pos;
-	char ctmp;
-	for(str_tmp_pos=0; str_tmp_pos<strlen(progname_escaped); str_tmp_pos++) {
-		ctmp = progname_escaped[str_tmp_pos];
-		if ( ctmp!='%' ) {
-			progname_unformatted[esc_tmp_pos++] = 'c';
-			progname_unformatted[esc_tmp_pos++] = ctmp;
-		}
-	}
-	progname_unformatted[esc_tmp_pos] = 0; 
 
 	snprintf(buffer, bufferlen, "[%s] %s[%d]: %s\n",
-	         timestring, progname_unformatted, getpid(), mesg);
+	         timestring, progname_escaped, getpid(), mesg);
 
-	free(progname_unformatted);
 	free(progname_escaped);
 
 	if ( msglevel<=verbose ) {

From c05898ba519095db95483b792213b9b280722e0d Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+mvr320@users.noreply.github.com>
Date: Mon, 24 Jan 2022 16:37:10 +0100
Subject: [PATCH 15/15] Only allow alphanumeric chars, this will break the
 extensions

---
 lib/lib.error.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/lib.error.c b/lib/lib.error.c
index 6ecee19198..5355bc95e9 100644
--- a/lib/lib.error.c
+++ b/lib/lib.error.c
@@ -23,6 +23,8 @@
 #include <unistd.h>
 #include <time.h>
 #include <sys/time.h>
+#include <stdio.h>
+#include <ctype.h>
 
 /* Define va_copy macro if not available (ANSI C99 only).
  * memcpy() is fallback suggested by the autoconf manual, but doesn't
@@ -63,8 +65,9 @@ char *printf_escape(const char *str)
 
 	for(str_pos=0; str_pos<strlen(str); str_pos++) {
 		c = str[str_pos];
-		escaped[esc_pos++] = c;
-		if ( c=='%' ) escaped[esc_pos++] = c;
+        if(isalnum(c)){
+		    escaped[esc_pos++] = c;
+        }
 	}
 	escaped[esc_pos] = 0;