add validation of sent filereplacements from clients

MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs

@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using MareSynchronos.API;
 using MareSynchronosServer.Utils;
@@ -122,6 +123,17 @@ public partial class MareHub
     {
         _logger.LogCallInfo(MareHubLogger.Args(visibleCharacterIds.Count));
 
+        foreach (var replacement in characterCache.FileReplacements.SelectMany(p => p.Value))
+        {
+            if (replacement.GamePaths.Any(p => !GamePathRegex().IsMatch(p))
+                || (!string.IsNullOrEmpty(replacement.Hash) && !HashRegex().IsMatch(replacement.Hash))
+                || (!string.IsNullOrEmpty(replacement.FileSwapPath) && !GamePathRegex().IsMatch(replacement.FileSwapPath)))
+            {
+                _logger.LogCallWarning(MareHubLogger.Args("Invalid Data"));
+                throw new HubException("Invalid data provided");
+            }
+        }
+
         var allPairedUsers = await GetAllPairedUnpausedUsers().ConfigureAwait(false);
 
         var allPairedUsersDict = allPairedUsers.ToDictionary(f => f, f => _clientIdentService.GetCharacterIdentForUid(f), System.StringComparer.Ordinal)
@@ -328,4 +340,10 @@ public partial class MareHub
 
     private ClientPair OppositeEntry(string otherUID) =>
                                 _dbContext.ClientPairs.AsNoTracking().SingleOrDefault(w => w.User.UID == otherUID && w.OtherUser.UID == AuthenticatedUserId);
+
+    [GeneratedRegex(@"^[A-Z0-9]{40}$", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.ECMAScript)]
+    private static partial Regex HashRegex();
+
+    [GeneratedRegex(@"^([a-z0-9_]+\/)+(([a-z0-9_])+(\.[a-z]{3,4}))$", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.ECMAScript)]
+    private static partial Regex GamePathRegex();
 }