Summary
Follow-up audit found additional non-critical bugs that should be tracked separately from the severe Backup API blockers in #65 and the main API/profile/library/export set in #64.
Each finding below includes a severity classification.
Findings
1. Medium: Backup list API exposes absolute backup file paths
Classification: Medium / privacy leak
GET /api/v1/backups returns BackupFileDto with FilePath: info.FullName.
Impact: Local API clients receive full absolute backup paths, exposing the user's filesystem layout. This is inconsistent with support-bundle sanitization work elsewhere.
Expected fix: return only FileName, size, and timestamps from the list endpoint. Resolve the absolute path server-side during restore/delete.
2. Low-medium: Patrol readiness RPH message is misleading for incomplete RPH installs
Classification: Low-medium / diagnostic accuracy
RPH presence is now determined by complete install state, but /api/v1/patrol-readiness reports only:
RAGEPluginHook.exe is missing — LSPDFR cannot launch.
If RAGEPluginHook.exe exists but RagePluginHook.dll is missing, the message points users to the wrong missing file.
Expected fix: change the blocking message to something like:
RAGE Plugin Hook install is incomplete — RAGEPluginHook.exe or RagePluginHook.dll is missing.
3. Low-medium: Local API /health returns hardcoded version 1.0
Classification: Low-medium / stale diagnostics
Program.cs maps /health to return version = "1.0".
Impact: diagnostics and support tools can show stale API version information even when project/assembly metadata changes.
Expected fix: read from assembly metadata, e.g.:
typeof(Program).Assembly.GetName().Version?.ToString(3)
4. Medium-high: Browse API executable naming is inconsistent with LocalApi project output
Classification: Medium-high / startup failure risk
BrowseApiServiceManager searches for LSPDFRManager.Api.exe, but the project is LSPDFRManager.LocalApi and the project file does not set <AssemblyName>LSPDFRManager.Api</AssemblyName>.
Impact: API auto-start can fail to locate the executable even when LocalApi is built correctly.
Expected fix: either:
- update startup discovery to look for
LSPDFRManager.LocalApi.exe, or
- intentionally set
<AssemblyName>LSPDFRManager.Api</AssemblyName> in LSPDFRManager.LocalApi.csproj.
5. Medium: Browse API base URL validation allows arbitrary absolute URLs
Classification: Medium / local proxy hardening
ConfigEndpoints.PutConfig validates BrowseApiBaseUrl only as an absolute URL. BrowseEndpoints later proxies search requests to that configured URL.
Impact: a local client can configure the app to proxy Browse API calls to arbitrary hosts. This is usually local-only, but it is unnecessary attack surface for a localhost manager API.
Expected fix: restrict BrowseApiBaseUrl to loopback HTTP origins, such as http://localhost:<port> or http://127.0.0.1:<port>.
6. Low-medium: BackupService records LastBackupDate using local time
Classification: Low-medium / scheduling drift
BackupService.CreateBackupAsync sets config.LastBackupDate = DateTime.Now, while scheduler logic elsewhere compares against UTC.
Impact: scheduled backup behavior can drift or appear inconsistent across time zones / DST transitions.
Expected fix: store UTC consistently, e.g. DateTime.UtcNow, and treat the config field as UTC.
Acceptance criteria
Related issues
Summary
Follow-up audit found additional non-critical bugs that should be tracked separately from the severe Backup API blockers in #65 and the main API/profile/library/export set in #64.
Each finding below includes a severity classification.
Findings
1. Medium: Backup list API exposes absolute backup file paths
Classification: Medium / privacy leak
GET /api/v1/backupsreturnsBackupFileDtowithFilePath: info.FullName.Impact: Local API clients receive full absolute backup paths, exposing the user's filesystem layout. This is inconsistent with support-bundle sanitization work elsewhere.
Expected fix: return only
FileName, size, and timestamps from the list endpoint. Resolve the absolute path server-side during restore/delete.2. Low-medium: Patrol readiness RPH message is misleading for incomplete RPH installs
Classification: Low-medium / diagnostic accuracy
RPH presence is now determined by complete install state, but
/api/v1/patrol-readinessreports only:If
RAGEPluginHook.exeexists butRagePluginHook.dllis missing, the message points users to the wrong missing file.Expected fix: change the blocking message to something like:
3. Low-medium: Local API
/healthreturns hardcoded version1.0Classification: Low-medium / stale diagnostics
Program.csmaps/healthto returnversion = "1.0".Impact: diagnostics and support tools can show stale API version information even when project/assembly metadata changes.
Expected fix: read from assembly metadata, e.g.:
4. Medium-high: Browse API executable naming is inconsistent with LocalApi project output
Classification: Medium-high / startup failure risk
BrowseApiServiceManagersearches forLSPDFRManager.Api.exe, but the project isLSPDFRManager.LocalApiand the project file does not set<AssemblyName>LSPDFRManager.Api</AssemblyName>.Impact: API auto-start can fail to locate the executable even when LocalApi is built correctly.
Expected fix: either:
LSPDFRManager.LocalApi.exe, or<AssemblyName>LSPDFRManager.Api</AssemblyName>inLSPDFRManager.LocalApi.csproj.5. Medium: Browse API base URL validation allows arbitrary absolute URLs
Classification: Medium / local proxy hardening
ConfigEndpoints.PutConfigvalidatesBrowseApiBaseUrlonly as an absolute URL.BrowseEndpointslater proxies search requests to that configured URL.Impact: a local client can configure the app to proxy Browse API calls to arbitrary hosts. This is usually local-only, but it is unnecessary attack surface for a localhost manager API.
Expected fix: restrict
BrowseApiBaseUrlto loopback HTTP origins, such ashttp://localhost:<port>orhttp://127.0.0.1:<port>.6. Low-medium: BackupService records
LastBackupDateusing local timeClassification: Low-medium / scheduling drift
BackupService.CreateBackupAsyncsetsconfig.LastBackupDate = DateTime.Now, while scheduler logic elsewhere compares against UTC.Impact: scheduled backup behavior can drift or appear inconsistent across time zones / DST transitions.
Expected fix: store UTC consistently, e.g.
DateTime.UtcNow, and treat the config field as UTC.Acceptance criteria
/healthreports assembly/project version rather than hardcoded1.0.Related issues