Fixing security hotspots + issues

MainProject/Models/Settings/EncryptionSettings.cs

@@ -3,7 +3,7 @@ namespace BasicDotnetTemplate.MainProject.Models.Settings;
 public class EncryptionSettings
 {
 #nullable enable
-    public string? Secret { get; set; }
+    public string? SaltKey { get; set; }
     public string? Salt { get; set; }
     public int? Iterations { get; set; }
 #nullable disable

MainProject/Services/UserService.cs

@@ -22,15 +22,12 @@ public interface IUserService
 public class UserService : BaseService, IUserService
 {
     private readonly NLog.Logger Logger = NLog.LogManager.GetCurrentClassLogger();
-    private readonly CryptUtils _cryptUtils;
     public UserService(
         IHttpContextAccessor httpContextAccessor,
         IConfiguration configuration,
         SqlServerContext sqlServerContext
     ) : base(httpContextAccessor, configuration, sqlServerContext)
-    {
-        this._cryptUtils = new(_appSettings);
-    }
+    { }
 
     private IQueryable<User> GetUsersQueryable()
     {

MainProject/Utils/CryptUtils.cs

@@ -6,7 +6,7 @@ using BasicDotnetTemplate.MainProject.Models.Settings;
 namespace BasicDotnetTemplate.MainProject.Utils;
 public class CryptUtils(AppSettings appSettings)
 {
-    private readonly string _secret = appSettings.EncryptionSettings?.Secret ?? String.Empty;
+    private readonly string _saltKey = appSettings.EncryptionSettings?.SaltKey ?? String.Empty;
     private const int _M = 16;
     private const int _N = 32;
 
@@ -14,7 +14,7 @@ public class CryptUtils(AppSettings appSettings)
     {
         var decrypted = String.Empty;
 
-        if (String.IsNullOrEmpty(this._secret) || this._secret.Length < _M)
+        if (String.IsNullOrEmpty(this._saltKey) || this._saltKey.Length < _M)
         {
             throw new ArgumentException("Unable to proceed with decryption due to invalid settings");
         }
@@ -28,7 +28,7 @@ public class CryptUtils(AppSettings appSettings)
 
             using (var aes = Aes.Create())
             {
-                aes.Key = Encoding.UTF8.GetBytes(this._secret);
+                aes.Key = Encoding.UTF8.GetBytes(this._saltKey);
                 aes.IV = Encoding.UTF8.GetBytes(iv);
 
                 using (var decryptor = aes.CreateDecryptor(aes.Key, aes.IV))

MainProject/Utils/PasswordUtils.cs

@@ -29,7 +29,11 @@ public partial class PasswordUtils
     [GeneratedRegex("[^a-zA-Z0-9]")]
     private static partial Regex RegexSpecial();
 
-    private static readonly Regex RegexIdenticalChars = new(@"(\S)\1{2,}", RegexOptions.IgnoreCase | RegexOptions.Compiled);
+    private static readonly Regex RegexIdenticalChars = new(
+        @"(\S)\1{2,}", 
+        RegexOptions.IgnoreCase | RegexOptions.Compiled,
+        TimeSpan.FromMilliseconds(100)
+    );
 
     public static List<string> ValidatePassword(string password)
     {

MainProject/appsettings.json

@@ -35,7 +35,7 @@
             "ExpiredAfterMinsOfInactivity": 15
         },
         "EncryptionSettings": {
-            "Secret": "S7VIidfXQf1tOQYX",
+            "SaltKey": "S7VIidfXQf1tOQYX",
             "Salt": "",
             "Iterations": 10
         },