SEBWIN-972: Ensured that also the server API endpoint is correctly sanitized.

Author: dbuechel

SafeExamBrowser.Configuration/ConfigurationData/DataMapping/ServerDataMapper.cs

@@ -51,9 +51,9 @@ private void MapConfiguration(AppSettings settings, object value)
 		{
 			if (value is IDictionary<string, object> configuration)
 			{
-				if (configuration.TryGetValue(Keys.Server.ApiUrl, out var v) && v is string url)
+				if (configuration.TryGetValue(Keys.Server.ApiEndpoint, out var v) && v is string endpoint)
 				{
-					settings.Server.ApiUrl = url;
+					settings.Server.ApiEndpoint = endpoint;
 				}
 
 				if (configuration.TryGetValue(Keys.Server.ClientName, out v) && v is string name)

SafeExamBrowser.Configuration/ConfigurationData/Keys.cs

@@ -277,7 +277,7 @@ internal static class Security
 
 		internal static class Server
 		{
-			internal const string ApiUrl = "apiDiscovery";
+			internal const string ApiEndpoint = "apiDiscovery";
 			internal const string ClientName = "clientName";
 			internal const string ClientSecret = "clientSecret";
 			internal const string Configuration = "sebServerConfiguration";

SafeExamBrowser.Server/Requests/ApiRequest.cs

@@ -30,7 +30,7 @@ internal ApiRequest(
 
 		internal bool TryExecute(out Api api, out string message)
 		{
-			var success = TryExecute(HttpMethod.Get, settings.ApiUrl, out var response);
+			var success = TryExecute(HttpMethod.Get, settings.ApiEndpoint, out var response);
 
 			api = new Api();
 			message = response.ToLogString();

SafeExamBrowser.Server/Sanitizer.cs

@@ -14,11 +14,6 @@ namespace SafeExamBrowser.Server
 {
 	internal class Sanitizer
 	{
-		internal Uri Sanitize(string serverUrl)
-		{
-			return new Uri(serverUrl.EndsWith("/") ? serverUrl : $"{serverUrl}/");
-		}
-
 		internal void Sanitize(Api api)
 		{
 			foreach (var property in api.GetType().GetProperties(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic))
@@ -29,5 +24,15 @@ internal void Sanitize(Api api)
 				property.SetValue(api, sanitized);
 			}
 		}
+
+		internal Uri SanitizeBaseAddress(string serverUrl)
+		{
+			return new Uri(serverUrl.EndsWith("/") ? serverUrl : $"{serverUrl}/");
+		}
+
+		internal string SanitizeApiEndpoint(string apiEndpoint)
+		{
+			return apiEndpoint.TrimStart('/');
+		}
 	}
 }

SafeExamBrowser.Server/ServerProxy.cs

@@ -204,9 +204,10 @@ public ConnectionInfo GetConnectionInfo()
 		public void Initialize(ServerSettings settings)
 		{
 			this.settings = settings;
+			this.settings.ApiEndpoint = sanitizer.SanitizeApiEndpoint(settings.ApiEndpoint);
 
 			httpClient = new HttpClient();
-			httpClient.BaseAddress = sanitizer.Sanitize(settings.ServerUrl);
+			httpClient.BaseAddress = sanitizer.SanitizeBaseAddress(settings.ServerUrl);
 
 			if (settings.RequestTimeout > 0)
 			{

SafeExamBrowser.Settings/Server/ServerSettings.cs

@@ -17,9 +17,9 @@ namespace SafeExamBrowser.Settings.Server
 	public class ServerSettings
 	{
 		/// <summary>
-		/// The discovery URL for the API of the server.
+		/// The discovery endpoint for the API of the server.
 		/// </summary>
-		public string ApiUrl { get; set; }
+		public string ApiEndpoint { get; set; }
 
 		/// <summary>
 		/// The client name for initial authentication with the server.
@@ -77,7 +77,7 @@ public class ServerSettings
 		public int RequestTimeout { get; set; }
 
 		/// <summary>
-		/// The URL of the server.
+		/// The base address of the server.
 		/// </summary>
 		public string ServerUrl { get; set; }