Skip to content

tweak(network): Add file extension validation to network map transfer #1818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 11, 2025
Merged

tweak(network): Add file extension validation to network map transfer #1818

merged 2 commits into from
Nov 11, 2025

Conversation

@bobtista
Copy link

@bobtista bobtista commented Nov 6, 2025
edited
Loading

Adds whitelist-based validation of file extensions during map transfers and save game loading to prevent arbitrary file types from being written to disk.

@bobtista bobtista marked this pull request as ready for review November 7, 2025 05:33
Skyaero42
Skyaero42 reviewed Nov 9, 2025
View reviewed changes
Copy link

@Skyaero42 Skyaero42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So what happens if a file id blocked? Does the transfer freeze? Game mismatch?

@bobtista
Copy link
Author

bobtista commented Nov 9, 2025
edited
Loading

So what happens if a file id blocked? Does the transfer freeze? Game mismatch?

It gets ignored and logged - this is the same behavior as the existing path traversal protection.

  • hasValidTransferFileExtension() returns false
  • portableMapPathToRealMapPath() returns empty string
  • ConnectionManager::processFile() logs: "Got a file name transferred that failed to normalize"
  • The transfer is silently dropped and will eventually timeout

Note: I have not confirmed this with testing yet, I don't have my testing PC with me

xezon
xezon reviewed Nov 10, 2025
View reviewed changes
@bobtista bobtista force-pushed the bobtista/security-file-extension-content-validation branch 2 times, most recently from bf35aec to 7ec0ac6 Compare November 10, 2025 20:34
xezon
xezon reviewed Nov 10, 2025
View reviewed changes
xezon
xezon approved these changes Nov 11, 2025
View reviewed changes
Copy link

@xezon xezon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@xezon xezon added Minor Severity: Minor < Major < Critical < Blocker Gen Relates to Generals ZH Relates to Zero Hour Security Is security related labels Nov 11, 2025
@xezon xezon changed the title fix(security): add file extension validation for map transfer tweak(network): Add file extension validation to network map transfer Nov 11, 2025
@xezon
Copy link

xezon commented Nov 11, 2025

Needs rebase.

@bobtista bobtista force-pushed the bobtista/security-file-extension-content-validation branch from 18545a7 to 5648a6d Compare November 11, 2025 17:28
@xezon xezon merged commit 35b3f01 into TheSuperHackers:main Nov 11, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skyaero42 Skyaero42 Skyaero42 left review comments

@xezon xezon xezon approved these changes

Assignees

No one assigned

Labels

Gen Relates to Generals Minor Severity: Minor < Major < Critical < Blocker Security Is security related ZH Relates to Zero Hour

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Map transfer system lacks file extension validation

3 participants

@bobtista @xezon @Skyaero42