Security Report: BusEngine
Hi! I ran an automated security audit on the BusEngine repo and found a few potential vulnerabilities. Thanks for the awesome engine!
HIGH: Arbitrary Process Execution via _linkgo| message
Files:
BusEngine/Code/Plugin/Program.cs:151
BusEngine/Templates/cs/Launcher/Code/Plugin/Program.cs:132
} else if (t == "_linkgo|") {
System.Diagnostics.Process.Start(message.Substring(8));
}
Issue: message.Substring(8) is passed directly to Process.Start() with no validation. If an attacker can control the message content (e.g. via XSS in WebView or a malicious page in the CEF browser), they can launch arbitrary executables on the user's machine.
Fix: Validate the URL — only allow https:// and http:// schemes:
if (Uri.TryCreate(message.Substring(8), UriKind.Absolute, out var uri) &&
(uri.Scheme == "https" || uri.Scheme == "http")) {
System.Diagnostics.Process.Start(uri.AbsoluteUri);
}
HIGH: PostMessage Listener Without Origin Validation
File: docs/Scripts/BusEngine/bus_app.js:1261
window.navigator.serviceWorker.addEventListener('message', function(event) {
// NO event.origin check!
...
});
Fix: Add origin check:
window.navigator.serviceWorker.addEventListener('message', function(event) {
if (event.origin !== 'https://busengine.buslikdrev.by') return;
...
});
MEDIUM: innerHTML XSS Risk
File: docs/Scripts/BusEngine/bus_app.js (multiple lines)
blockSelect.innerHTML = data; // unsanitized server data!
Fix: Use textContent where possible, or DOMPurify + add CSP header.
LOW
Process.Start("Url") — dead placeholder in Plugin/Program.cs:90
- Commented-out
file_put_contents in busengine.php
- HTTP links in docs
Clean
- No hardcoded tokens/passwords
- No disabled SSL validation
- Clean App.config files
CVSS (RCE): ~8.4 (HIGH)
Overall risk: MODERATE
Full audit report available upon request. Thanks for the project!
Security Report: BusEngine
Hi! I ran an automated security audit on the BusEngine repo and found a few potential vulnerabilities. Thanks for the awesome engine!
HIGH: Arbitrary Process Execution via
_linkgo|messageFiles:
BusEngine/Code/Plugin/Program.cs:151BusEngine/Templates/cs/Launcher/Code/Plugin/Program.cs:132Issue:
message.Substring(8)is passed directly toProcess.Start()with no validation. If an attacker can control themessagecontent (e.g. via XSS in WebView or a malicious page in the CEF browser), they can launch arbitrary executables on the user's machine.Fix: Validate the URL — only allow
https://andhttp://schemes:HIGH: PostMessage Listener Without Origin Validation
File:
docs/Scripts/BusEngine/bus_app.js:1261Fix: Add origin check:
MEDIUM: innerHTML XSS Risk
File:
docs/Scripts/BusEngine/bus_app.js(multiple lines)Fix: Use
textContentwhere possible, or DOMPurify + add CSP header.LOW
Process.Start("Url")— dead placeholder inPlugin/Program.cs:90file_put_contentsinbusengine.phpClean
CVSS (RCE): ~8.4 (HIGH)
Overall risk: MODERATE
Full audit report available upon request. Thanks for the project!