From ad31b40aea1c6901a85718648fa0e191da7c9f59 Mon Sep 17 00:00:00 2001 From: Avi Weinstock Date: Tue, 9 Mar 2021 18:25:36 -0500 Subject: [PATCH] Validate starting item and body type server-side. --- server/src/character_creator.rs | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/server/src/character_creator.rs b/server/src/character_creator.rs index 0d8fd31e51..9450bc9a8b 100644 --- a/server/src/character_creator.rs +++ b/server/src/character_creator.rs @@ -2,6 +2,15 @@ use crate::persistence::character_loader::CharacterLoader; use common::comp::{inventory::loadout_builder::LoadoutBuilder, Body, Inventory, Item, Stats}; use specs::{Entity, ReadExpect}; +const VALID_STARTER_ITEMS: [&str; 6] = [ + "common.items.weapons.hammer.starter_hammer", + "common.items.weapons.bow.starter", + "common.items.weapons.axe.starter_axe", + "common.items.weapons.staff.starter_staff", + "common.items.weapons.sword.starter", + "common.items.weapons.sceptre.starter_sceptre", +]; + pub fn create_character( entity: Entity, player_uuid: String, @@ -10,13 +19,23 @@ pub fn create_character( body: Body, character_loader: &ReadExpect<'_, CharacterLoader>, ) { + // quick fix whitelist validation for now; eventually replace the + // `Option` with an index into a server-provided list of starter + // items, and replace `comp::body::Body` with `comp::body::humanoid::Body` + // throughout the messages involved + let tool_id = match character_tool { + Some(tool_id) if VALID_STARTER_ITEMS.contains(&&*tool_id) => tool_id, + _ => return, + }; + if !matches!(body, Body::Humanoid(_)) { + return; + } + let stats = Stats::new(character_alias.to_string()); let loadout = LoadoutBuilder::new() .defaults() - .active_item(Some(Item::new_from_asset_expect( - character_tool.as_deref().unwrap(), - ))) + .active_item(Some(Item::new_from_asset_expect(&tool_id))) .build(); let mut inventory = Inventory::new_with_loadout(loadout);