Tollab App Exposed: Unvalidated localStorage Parsing Risks App Crashes & Data Injection

A critical security flaw in the Tollab application's state management system exposes users to potential app crashes and data injection. The vulnerability resides in the `loadProfileIntoAppStore()` function within `src/services/store-persistence.ts`. This function retrieves per-profile UI state from the browser's localStorage and directly type-asserts the parsed JSON data without performing any runtime validation. If the stored data is corrupted—whether through browser extension interference, manual tampering, or a faulty import—the application blindly trusts the malformed structure, passing it directly to the `loadData()` function.

The core issue is on lines 142–147, where the code executes `uiState = JSON.parse(raw) as typeof uiState;`. This assumes the parsed object perfectly matches the expected shape, containing optional keys like `currentSemesterId`, `recordingSortOrders`, and `homeworkSortOrders`. Should the stored data be invalid—for instance, if `recordingSortOrders` is a string instead of the expected nested record—the application will encounter a runtime crash when the store logic attempts to iterate over these corrupted sort orders. This flaw is classified as a MEDIUM severity vulnerability due to its direct impact on application stability.

The immediate impact is an app crash upon loading a profile with corrupted localStorage. More insidiously, the lack of a validation layer creates a potential vector for injecting unexpected data types directly into the application's core store. This could be exploited to destabilize the user interface or serve as a stepping stone for more complex attacks, depending on how the corrupted data is later utilized by other parts of the codebase. The vulnerability underscores a common but dangerous pattern of trusting client-side storage without adequate safeguards.