Cheesefork JSON Data Vulnerability: Unsafe Type Casting Risks App Crashes and Data Integrity

A security review of the Cheesefork service has exposed a medium-severity vulnerability stemming from unsafe type assertions on external JSON data. The core flaw is a direct, unvalidated cast of array elements, creating a critical point of failure where malformed data can crash the application and corrupt internal state.

The vulnerability resides in `src/services/cheesefork.ts` (lines 98–102). The service fetches JSON data and, while it checks if the response is an array, it immediately casts the entire array—or a nested `courses` array—to the `ParsedICSEvent[]` type. This bypasses any validation of individual elements for required fields such as `name`, `number`, and `schedule`. The code assumes the shape of external data matches the internal type, a dangerous presumption that opens the door to type confusion.

This flaw has direct operational impact. Downstream components that rely on these fields will encounter runtime crashes when attempting to access properties like `course.name` on an invalid object. Beyond crashes, the vulnerability allows for the injection of unexpected or malicious data shapes directly into the application's store, posing a broader threat to data integrity and system stability. The absence of per-element validation transforms a routine data fetch into a potential vector for disruption.