security: path traversal rejection, packet length validation; code quality

Security: - Asset loader rejects paths containing ".." sequences (path traversal) - Chat message parser validates length against remaining packet bytes before resize(), preventing memory exhaustion from malformed packets Code quality: - Extract 11 named geoset constants (kGeosetBareForearms, kGeosetWithCape, etc.) replacing ~40 magic number sites across 4 code paths - Add build-debug/ and .claude/ to .gitignore - Remove .claude/scheduled_tasks.lock from tracking
2026-05-03 08:03:50 +00:00 · 2026-03-27 18:42:48 -07:00 · 2026-03-27 18:42:48 -07:00 · e2383725f0
commit e2383725f0
parent e61b23626a
5 changed files with 87 additions and 59 deletions
--- a/src/pipeline/asset_manager.cpp
+++ b/src/pipeline/asset_manager.cpp
@ -604,6 +604,15 @@ std::string AssetManager::normalizePath(const std::string& path) const {
    std::replace(normalized.begin(), normalized.end(), '/', '\\');
    std::transform(normalized.begin(), normalized.end(), normalized.begin(),
                   [](unsigned char c) { return static_cast<char>(std::tolower(c)); });
+
+    // Reject path traversal sequences
+    if (normalized.find("..\\") != std::string::npos ||
+        normalized.find("../") != std::string::npos ||
+        normalized == "..") {
+        LOG_WARNING("Path traversal rejected: ", path);
+        return {};
+    }
+
    return normalized;
 }