From e304931435327e7e8485bca38c310ce8f7806aa0 Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Thu, 19 Feb 2026 17:06:49 -0800
Subject: [PATCH] Fix CodeQL weak-crypto suppressions: switch lgtm to codeql
 inline format

The old `// lgtm [cpp/...]` comments used a space (invalid syntax) and
were placed on preceding lines rather than inline with the flagged code.
GitHub's CodeQL action v3 requires `// codeql[query-id]` on the same
line as the flagged expression. All four alert sites updated:

- world_socket.cpp: encryptCipher/decryptCipher.init() (protocol RC4)
- warden_module.cpp: decryptRC4() call (Warden protocol RC4)
- warden_crypto.cpp: initRC4() calls (Warden stream cipher init)
- game_handler.cpp: wardenLoadedModule_->load() (MD5+RC4 via Warden)

All uses are protocol-mandated by Blizzard's WoW/Warden spec and cannot
be replaced without breaking server interoperability.
---
 src/game/game_handler.cpp    | 2 +-
 src/game/warden_crypto.cpp   | 4 ++--
 src/game/warden_module.cpp   | 7 ++-----
 src/network/world_socket.cpp | 6 ++----
 4 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/src/game/game_handler.cpp b/src/game/game_handler.cpp
index cb81e4cc..5dd1e0db 100644
--- a/src/game/game_handler.cpp
+++ b/src/game/game_handler.cpp
@@ -3165,7 +3165,7 @@ void GameHandler::handleWardenData(network::Packet& packet) {
 
                 // Load the module (decrypt, decompress, parse, relocate)
                 wardenLoadedModule_ = std::make_shared<WardenModule>();
-                if (wardenLoadedModule_->load(wardenModuleData_, wardenModuleHash_, wardenModuleKey_)) {
+                if (wardenLoadedModule_->load(wardenModuleData_, wardenModuleHash_, wardenModuleKey_)) { // codeql[cpp/weak-cryptographic-algorithm]
                     LOG_INFO("Warden: Module loaded successfully (image size=",
                              wardenLoadedModule_->getModuleSize(), " bytes)");
                 } else {
diff --git a/src/game/warden_crypto.cpp b/src/game/warden_crypto.cpp
index 56379779..3aaccc54 100644
--- a/src/game/warden_crypto.cpp
+++ b/src/game/warden_crypto.cpp
@@ -81,8 +81,8 @@ bool WardenCrypto::initFromSessionKey(const std::vector<uint8_t>& sessionKey) {
     encryptRC4State_.resize(256);
     decryptRC4State_.resize(256);
 
-    initRC4(ek, encryptRC4State_, encryptRC4_i_, encryptRC4_j_);
-    initRC4(dk, decryptRC4State_, decryptRC4_i_, decryptRC4_j_);
+    initRC4(ek, encryptRC4State_, encryptRC4_i_, encryptRC4_j_); // codeql[cpp/weak-cryptographic-algorithm]
+    initRC4(dk, decryptRC4State_, decryptRC4_i_, decryptRC4_j_); // codeql[cpp/weak-cryptographic-algorithm]
 
     // Scrub temporary key material after RC4 state initialization.
     std::fill(ek.begin(), ek.end(), 0);
diff --git a/src/game/warden_module.cpp b/src/game/warden_module.cpp
index 255c4c32..262453a8 100644
--- a/src/game/warden_module.cpp
+++ b/src/game/warden_module.cpp
@@ -60,11 +60,8 @@ bool WardenModule::load(const std::vector<uint8_t>& moduleData,
     }
     std::cout << "[WardenModule] ✓ MD5 verified" << '\n';
 
-    // Step 2: RC4 decrypt
-    // lgtm [cpp/weak-cryptographic-algorithm]
-    // Warden module payload encryption is legacy RC4 by protocol design.
-    // Changing algorithms here would break interoperability with supported servers.
-    if (!decryptRC4(moduleData, rc4Key, decryptedData_)) {
+    // Step 2: RC4 decrypt (Warden protocol-required legacy RC4; server-mandated, cannot be changed)
+    if (!decryptRC4(moduleData, rc4Key, decryptedData_)) { // codeql[cpp/weak-cryptographic-algorithm]
         std::cerr << "[WardenModule] RC4 decryption failed!" << '\n';
         return false;
     }
diff --git a/src/network/world_socket.cpp b/src/network/world_socket.cpp
index dd6f1ad1..a9ae6b99 100644
--- a/src/network/world_socket.cpp
+++ b/src/network/world_socket.cpp
@@ -443,12 +443,10 @@ void WorldSocket::initEncryption(const std::vector<uint8_t>& sessionKey, uint32_
         std::vector<uint8_t> encryptHash = auth::Crypto::hmacSHA1(encryptKey, sessionKey);
         std::vector<uint8_t> decryptHash = auth::Crypto::hmacSHA1(decryptKey, sessionKey);
 
-        // lgtm [cpp/weak-cryptographic-algorithm]
         // WoW WotLK world-header stream cipher is protocol-defined RC4.
         // Replacing it would break interoperability with target servers.
-        encryptCipher.init(encryptHash);
-        // lgtm [cpp/weak-cryptographic-algorithm]
-        decryptCipher.init(decryptHash);
+        encryptCipher.init(encryptHash); // codeql[cpp/weak-cryptographic-algorithm]
+        decryptCipher.init(decryptHash); // codeql[cpp/weak-cryptographic-algorithm]
 
         // Drop first 1024 bytes of keystream (WoW WotLK protocol requirement)
         encryptCipher.drop(1024);