From eabc009f0cf7157fbe661432589bcbcf4e892252 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Mon, 12 Feb 2018 17:37:52 +1100
Subject: [PATCH] Adds validation to IAuditService.Write

---
 src/Umbraco.Core/Services/AuditService.cs       | 10 ++++++++++
 src/Umbraco.Core/Services/IAuditService.cs      |  4 +++-
 src/Umbraco.Tests/Services/AuditServiceTests.cs |  6 +++---
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/Umbraco.Core/Services/AuditService.cs b/src/Umbraco.Core/Services/AuditService.cs
index 240060cbae..84af5caccb 100644
--- a/src/Umbraco.Core/Services/AuditService.cs
+++ b/src/Umbraco.Core/Services/AuditService.cs
@@ -115,6 +115,16 @@ namespace Umbraco.Core.Services
         /// <inheritdoc />
         public IAuditEntry Write(int performingUserId, string perfomingDetails, string performingIp, DateTime eventDate, int affectedUserId, string affectedDetails, string eventType, string eventDetails)
         {
+            if (performingUserId < 0) throw new ArgumentOutOfRangeException(nameof(performingUserId));
+            if (string.IsNullOrWhiteSpace(perfomingDetails)) throw new ArgumentException("Value cannot be null or whitespace.", nameof(perfomingDetails));
+            if (string.IsNullOrWhiteSpace(eventType)) throw new ArgumentException("Value cannot be null or whitespace.", nameof(eventType));
+            if (string.IsNullOrWhiteSpace(eventDetails)) throw new ArgumentException("Value cannot be null or whitespace.", nameof(eventDetails));
+
+            //validate the eventType - must contain a forward slash, no spaces, no special chars
+            var eventTypeParts = eventType.ToCharArray();
+            if (eventTypeParts.Contains('/') == false || eventTypeParts.All(c => char.IsLetterOrDigit(c) || c == '/' || c == '-') == false)
+                throw new ArgumentException(nameof(eventType) + " must contain only alphanumeric characters, hyphens and at least one '/' defining a category");
+
             var entry = new AuditEntry
             {
                 PerformingUserId = performingUserId,
diff --git a/src/Umbraco.Core/Services/IAuditService.cs b/src/Umbraco.Core/Services/IAuditService.cs
index 43e3f51865..4b803dc012 100644
--- a/src/Umbraco.Core/Services/IAuditService.cs
+++ b/src/Umbraco.Core/Services/IAuditService.cs
@@ -69,7 +69,9 @@ namespace Umbraco.Core.Services
         /// <param name="eventDate">The date and time of the audited event.</param>
         /// <param name="affectedUserId">The identifier of the user affected by the audited event.</param>
         /// <param name="affectedDetails">Free-form details about the entity affected by the audited event.</param>
-        /// <param name="eventType">The type of the audited event.</param>
+        /// <param name="eventType">
+        /// The type of the audited event - must contain only alphanumeric chars, hyphens and at least one '/' defining categories
+        /// </param>
         /// <param name="eventDetails">Free-form details about the audited event.</param>
         IAuditEntry Write(int performingUserId, string perfomingDetails, string performingIp, DateTime eventDate, int affectedUserId, string affectedDetails, string eventType, string eventDetails);
 
diff --git a/src/Umbraco.Tests/Services/AuditServiceTests.cs b/src/Umbraco.Tests/Services/AuditServiceTests.cs
index 264a765415..8111da5969 100644
--- a/src/Umbraco.Tests/Services/AuditServiceTests.cs
+++ b/src/Umbraco.Tests/Services/AuditServiceTests.cs
@@ -18,13 +18,13 @@ namespace Umbraco.Tests.Services
             Database.Mapper = new PetaPocoMapper();
 
             var yesterday = DateTime.Now.AddDays(-1);
-            var entry = ServiceContext.AuditService.Write(123, "user 123, bob@example.com", null, yesterday, 456, "user 456, alice@example.com", "user-admin", "change property whatever value");
+            var entry = ServiceContext.AuditService.Write(123, "user 123, bob@example.com", null, yesterday, 456, "user 456, alice@example.com", "umbraco/user", "change property whatever value");
             Assert.AreEqual(123, entry.PerformingUserId);
             Assert.AreEqual("user 123, bob@example.com", entry.PerformingDetails);
             Assert.AreEqual(yesterday, entry.EventDate);
             Assert.AreEqual(456, entry.AffectedUserId);
             Assert.AreEqual("user 456, alice@example.com", entry.AffectedDetails);
-            Assert.AreEqual("user-admin", entry.EventType);
+            Assert.AreEqual("umbraco/user", entry.EventType);
             Assert.AreEqual("change property whatever value", entry.EventDetails);
 
             var entries = ServiceContext.AuditService.Get().ToArray();
@@ -35,7 +35,7 @@ namespace Umbraco.Tests.Services
             for (var i = 0; i < 10; i++)
             {
                 yesterday = yesterday.AddMinutes(1);
-                entry = ServiceContext.AuditService.Write(123 + i, "user 123, bob@example.com", null, yesterday, 456 + i, "user 456, alice@example.com", "user-admin", "change property whatever value");
+                entry = ServiceContext.AuditService.Write(123 + i, "user 123, bob@example.com", null, yesterday, 456 + i, "user 456, alice@example.com", "umbraco/user", "change property whatever value");
             }
 
             //