refactor(security): address code review feedback on extension validation

Author: bobtista

Core/GameEngine/Include/Common/FileSystem.h

@@ -161,7 +161,6 @@ class FileSystem : public SubsystemInterface
 
 	static AsciiString normalizePath(const AsciiString& path);	///< normalizes a file path. The path can refer to a directory. File path must be absolute, but does not need to exist. Returns an empty string on failure.
 	static Bool isPathInDirectory(const AsciiString& testPath, const AsciiString& basePath);	///< determines if a file path is within a base path. Both paths must be absolute, but do not need to exist.
-	static Bool hasValidTransferFileExtension(const AsciiString& filePath);	///< validates that a file path has an approved extension for map transfer operations. Returns true if extension is whitelisted (.map, .ini, .str, .wak, .tga, .txt), false otherwise. TheSuperHackers @security bobtista 06/11/2025
 
 protected:
 #if ENABLE_FILESYSTEM_EXISTENCE_CACHE

Core/GameEngine/Source/Common/System/FileSystem.cpp

@@ -457,47 +457,3 @@ Bool FileSystem::isPathInDirectory(const AsciiString& testPath, const AsciiStrin
 
 	return true;
 }
-
-//============================================================================
-// FileSystem::hasValidTransferFileExtension
-//============================================================================
-// TheSuperHackers @security bobtista 06/11/2025
-// Validates file extensions for map transfer operations to prevent arbitrary
-// file types from being transferred over the network or loaded from save games.
-// This is a security measure to mitigate arbitrary file write vulnerabilities.
-//============================================================================
-Bool FileSystem::hasValidTransferFileExtension(const AsciiString& filePath)
-{
-	static const char* validExtensions[] = {
-		".map",
-		".ini",
-		".str",
-		".wak",
-		".tga",
-		".txt"
-	};
-	static const Int numValidExtensions = sizeof(validExtensions) / sizeof(validExtensions[0]);
-
-	const char* lastDot = strrchr(filePath.str(), '.');
-
-	if (lastDot == NULL || lastDot[1] == '\0')
-	{
-		DEBUG_LOG(("File path '%s' has no extension.", filePath.str()));
-		return false;
-	}
-
-	for (Int i = 0; i < numValidExtensions; ++i)
-	{
-#ifdef _WIN32
-		if (_stricmp(lastDot, validExtensions[i]) == 0)
-#else
-		if (strcasecmp(lastDot, validExtensions[i]) == 0)
-#endif
-		{
-			return true;
-		}
-	}
-
-	DEBUG_LOG(("File path '%s' has invalid extension '%s' for transfer operations.", filePath.str(), lastDot));
-	return false;
-}

Generals/Code/GameEngine/Source/Common/System/SaveGame/GameState.cpp

@@ -933,13 +933,6 @@ AsciiString GameState::portableMapPathToRealMapPath(const AsciiString& in) const
 		return AsciiString::TheEmptyString;
 	}
 
-	// TheSuperHackers @security bobtista 06/11/2025 Validate file extension to prevent arbitrary file types
-	if (!FileSystem::hasValidTransferFileExtension(prefix))
-	{
-		DEBUG_LOG(("File path '%s' has invalid extension for map transfer operations.", prefix.str()));
-		return AsciiString::TheEmptyString;
-	}
-
 	prefix.toLower();
 	return prefix;
 }

Generals/Code/GameEngine/Source/GameNetwork/ConnectionManager.cpp

@@ -53,6 +53,45 @@
 #include "GameClient/DisconnectMenu.h"
 #include "GameClient/InGameUI.h"
 
+//============================================================================
+// hasValidTransferFileExtension
+//============================================================================
+// TheSuperHackers @security bobtista 06/11/2025
+// Validates file extensions for map transfer operations to prevent arbitrary
+// file types from being transferred over the network or loaded from save games.
+//============================================================================
+static Bool hasValidTransferFileExtension(const AsciiString& filePath)
+{
+	static const char* const validExtensions[] = {
+		"map",
+		"ini",
+		"str",
+		"wak",
+		"tga",
+		"txt"
+	};
+
+	const char* fileExt = strrchr(filePath.str(), '.');
+
+	if (fileExt == NULL || fileExt[1] == '\0')
+	{
+		DEBUG_LOG(("File path '%s' has no extension.", filePath.str()));
+		return false;
+	}
+
+	fileExt++;
+
+	for (Int i = 0; i < ARRAY_SIZE(validExtensions); ++i)
+	{
+		if (stricmp(fileExt, validExtensions[i]) == 0)
+		{
+			return true;
+		}
+	}
+
+	DEBUG_LOG(("File path '%s' has invalid extension '%s' for transfer operations.", filePath.str(), fileExt));
+	return false;
+}
 
 /**
  * Le destructor.
@@ -661,12 +700,17 @@ void ConnectionManager::processFile(NetFileCommandMsg *msg)
 		// TheSuperHackers @security slurmlord 18/06/2025 As the file name/path from the NetFileCommandMsg failed to normalize,
 		// in other words is bogus and points outside of the approved target directory, avoid an arbitrary file overwrite vulnerability
 		// by simply returning and let the transfer time out.
-		// TheSuperHackers @security bobtista 06/11/2025 This check also rejects files with invalid extensions (not in whitelist),
-		// as portableMapPathToRealMapPath() performs extension validation and returns empty string on failure.
 		DEBUG_LOG(("Got a file name transferred that failed to normalize: '%s'!", msg->getPortableFilename().str()));
 		return;
 	}
 
+	// TheSuperHackers @security bobtista 06/11/2025 Validate file extension to prevent arbitrary file types
+	if (!hasValidTransferFileExtension(realFileName))
+	{
+		DEBUG_LOG(("File '%s' has invalid extension for transfer operations.", realFileName.str()));
+		return;
+	}
+
 	if (TheFileSystem->doesFileExist(realFileName.str()))
 	{
 		DEBUG_LOG(("File exists already!"));

Generals/Code/GameEngine/Source/GameNetwork/GameInfo.cpp

@@ -1094,8 +1094,6 @@ Bool ParseAsciiStringToGameInfo(GameInfo *game, AsciiString options)
 				// TheSuperHackers @security slurmlord 18/06/2025 As the map file name/path from the AsciiString failed to normalize,
 				// in other words is bogus and points outside of the approved target directory for maps, avoid an arbitrary file overwrite vulnerability
 				// if the save or network game embeds a custom map to store at the location, by flagging the options as not OK and rejecting the game.
-				// TheSuperHackers @security bobtista 06/11/2025 This check also rejects map names with invalid extensions,
-				// as portableMapPathToRealMapPath() performs extension validation and returns empty string on failure.
 				optionsOk = FALSE;
 				DEBUG_LOG(("ParseAsciiStringToGameInfo - saw bogus map name ('%s'); quitting", mapName.str()));
 				break;

GeneralsMD/Code/GameEngine/Source/Common/System/SaveGame/GameState.cpp

@@ -933,13 +933,6 @@ AsciiString GameState::portableMapPathToRealMapPath(const AsciiString& in) const
 		return AsciiString::TheEmptyString;
 	}
 
-	// TheSuperHackers @security bobtista 06/11/2025 Validate file extension to prevent arbitrary file types
-	if (!FileSystem::hasValidTransferFileExtension(prefix))
-	{
-		DEBUG_LOG(("File path '%s' has invalid extension for map transfer operations.", prefix.str()));
-		return AsciiString::TheEmptyString;
-	}
-
 	prefix.toLower();
 	return prefix;
 }

GeneralsMD/Code/GameEngine/Source/GameNetwork/ConnectionManager.cpp

@@ -53,6 +53,45 @@
 #include "GameClient/DisconnectMenu.h"
 #include "GameClient/InGameUI.h"
 
+//============================================================================
+// hasValidTransferFileExtension
+//============================================================================
+// TheSuperHackers @security bobtista 06/11/2025
+// Validates file extensions for map transfer operations to prevent arbitrary
+// file types from being transferred over the network or loaded from save games.
+//============================================================================
+static Bool hasValidTransferFileExtension(const AsciiString& filePath)
+{
+	static const char* const validExtensions[] = {
+		"map",
+		"ini",
+		"str",
+		"wak",
+		"tga",
+		"txt"
+	};
+
+	const char* fileExt = strrchr(filePath.str(), '.');
+
+	if (fileExt == NULL || fileExt[1] == '\0')
+	{
+		DEBUG_LOG(("File path '%s' has no extension.", filePath.str()));
+		return false;
+	}
+
+	fileExt++;
+
+	for (Int i = 0; i < ARRAY_SIZE(validExtensions); ++i)
+	{
+		if (stricmp(fileExt, validExtensions[i]) == 0)
+		{
+			return true;
+		}
+	}
+
+	DEBUG_LOG(("File path '%s' has invalid extension '%s' for transfer operations.", filePath.str(), fileExt));
+	return false;
+}
 
 /**
  * Le destructor.
@@ -661,12 +700,17 @@ void ConnectionManager::processFile(NetFileCommandMsg *msg)
 		// TheSuperHackers @security slurmlord 18/06/2025 As the file name/path from the NetFileCommandMsg failed to normalize,
 		// in other words is bogus and points outside of the approved target directory, avoid an arbitrary file overwrite vulnerability
 		// by simply returning and let the transfer time out.
-		// TheSuperHackers @security bobtista 06/11/2025 This check also rejects files with invalid extensions (not in whitelist),
-		// as portableMapPathToRealMapPath() performs extension validation and returns empty string on failure.
 		DEBUG_LOG(("Got a file name transferred that failed to normalize: '%s'!", msg->getPortableFilename().str()));
 		return;
 	}
 
+	// TheSuperHackers @security bobtista 06/11/2025 Validate file extension to prevent arbitrary file types
+	if (!hasValidTransferFileExtension(realFileName))
+	{
+		DEBUG_LOG(("File '%s' has invalid extension for transfer operations.", realFileName.str()));
+		return;
+	}
+
 	if (TheFileSystem->doesFileExist(realFileName.str()))
 	{
 		DEBUG_LOG(("File exists already!"));

GeneralsMD/Code/GameEngine/Source/GameNetwork/GameInfo.cpp

@@ -1094,8 +1094,6 @@ Bool ParseAsciiStringToGameInfo(GameInfo *game, AsciiString options)
 				// TheSuperHackers @security slurmlord 18/06/2025 As the map file name/path from the AsciiString failed to normalize,
 				// in other words is bogus and points outside of the approved target directory for maps, avoid an arbitrary file overwrite vulnerability
 				// if the save or network game embeds a custom map to store at the location, by flagging the options as not OK and rejecting the game.
-				// TheSuperHackers @security bobtista 06/11/2025 This check also rejects map names with invalid extensions,
-				// as portableMapPathToRealMapPath() performs extension validation and returns empty string on failure.
 				optionsOk = FALSE;
 				DEBUG_LOG(("ParseAsciiStringToGameInfo - saw bogus map name ('%s'); quitting", mapName.str()));
 				break;