phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-04-27 05:23:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: path traversal rejection, packet length validation; code quality

Browse source 
Security:
- Asset loader rejects paths containing ".." sequences (path traversal)
- Chat message parser validates length against remaining packet bytes
  before resize(), preventing memory exhaustion from malformed packets

Code quality:
- Extract 11 named geoset constants (kGeosetBareForearms, kGeosetWithCape,
  etc.) replacing ~40 magic number sites across 4 code paths
- Add build-debug/ and .claude/ to .gitignore
- Remove .claude/scheduled_tasks.lock from tracking
This commit is contained in:
Kelsi 2026-03-27 18:42:48 -07:00
parent e61b23626a
commit e2383725f0
5 changed files with 87 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/game/world_packets.cpp
View file

@ -1517,6 +1517,7 @@ bool MessageChatParser::parse(network::Packet& packet, MessageChatData& data) {
case ChatType::RAID_BOSS_WHISPER: {
// Read sender name (SizedCString: uint32 len including null + chars)
uint32_t nameLen = packet.readUInt32();
if (nameLen > packet.getRemainingSize()) return false;
if (nameLen > 0 && nameLen < 256) {
data.senderName.resize(nameLen);
for (uint32_t i = 0; i < nameLen; ++i) {
@ -1597,6 +1598,7 @@ bool MessageChatParser::parse(network::Packet& packet, MessageChatData& data) {
// Read message length
uint32_t messageLen = packet.readUInt32();
if (messageLen > packet.getRemainingSize()) return false;
// Read message
if (messageLen > 0 && messageLen < 8192) {