From 05c77a3f70ec1785bf8ee99b6aa5469dc19fa9f3 Mon Sep 17 00:00:00 2001 From: leaKsi <59278564+leaKsi@users.noreply.github.com> Date: Sat, 15 Feb 2025 09:42:08 +0000 Subject: [PATCH] A bunch of sanitization fixes (#89477) ## About The Pull Request - Adds sanitization to windoor names and circuit shells. - Fixes a (mostly useless) href exploit with wizard's contracts. ## Why It's Good For The Game Sanitizing input is probably good. ## Changelog :cl: fix: Fixed a few sanitization issues. /:cl: --- code/__DEFINES/antagonists.dm | 8 ++++++++ code/datums/components/shell.dm | 2 +- code/game/machinery/announcement_system.dm | 8 ++++---- code/game/machinery/medical_kiosk.dm | 2 +- code/game/objects/structures/windoor_assembly.dm | 2 +- code/modules/antagonists/_common/antag_spawner.dm | 13 ++++++++++--- code/modules/wiremod/core/integrated_circuit.dm | 2 +- 7 files changed, 26 insertions(+), 11 deletions(-) diff --git a/code/__DEFINES/antagonists.dm b/code/__DEFINES/antagonists.dm index 1b8d7adf32d..6665aada05e 100644 --- a/code/__DEFINES/antagonists.dm +++ b/code/__DEFINES/antagonists.dm @@ -24,11 +24,19 @@ #define FUGITIVE_RESULT_FUGITIVE_VICTORY 7 #define FUGITIVE_RESULT_MAJOR_FUGITIVE 8 +// Wizard's contract school types #define APPRENTICE_DESTRUCTION "destruction" #define APPRENTICE_BLUESPACE "bluespace" #define APPRENTICE_ROBELESS "robeless" #define APPRENTICE_HEALING "healing" +#define ALL_APPRENTICE_TYPES list( \ + APPRENTICE_DESTRUCTION, \ + APPRENTICE_BLUESPACE, \ + APPRENTICE_ROBELESS, \ + APPRENTICE_HEALING, \ +) + //Pirates ///Minimum amount the pirates will demand diff --git a/code/datums/components/shell.dm b/code/datums/components/shell.dm index feb6e572bfd..44252c36575 100644 --- a/code/datums/components/shell.dm +++ b/code/datums/components/shell.dm @@ -319,7 +319,7 @@ attached_circuit.add_component(to_add) RegisterSignal(circuitboard, COMSIG_CIRCUIT_ADD_COMPONENT_MANUALLY, PROC_REF(on_circuit_add_component_manually)) if(attached_circuit.display_name != "") - parent_atom.name = "[initial(parent_atom.name)] ([attached_circuit.display_name])" + parent_atom.name = "[initial(parent_atom.name)] ([strip_html(attached_circuit.display_name)])" attached_circuit.set_locked(FALSE) if((shell_flags & SHELL_FLAG_CIRCUIT_UNREMOVABLE) || circuitboard.admin_only) diff --git a/code/game/machinery/announcement_system.dm b/code/game/machinery/announcement_system.dm index eb66e140d98..f3de8a749ec 100644 --- a/code/game/machinery/announcement_system.dm +++ b/code/game/machinery/announcement_system.dm @@ -142,7 +142,7 @@ GLOBAL_LIST_EMPTY(announcement_systems) data["node_toggle"] = announce_research_node return data -/obj/machinery/announcement_system/ui_act(action, param) +/obj/machinery/announcement_system/ui_act(action, list/params, datum/tgui/ui, datum/ui_state/state) . = ..() if(.) return @@ -154,17 +154,17 @@ GLOBAL_LIST_EMPTY(announcement_systems) return switch(action) if("ArrivalText") - var/new_message = trim(html_encode(param["newText"]), MAX_MESSAGE_LEN) + var/new_message = trim(html_encode(params["newText"]), MAX_MESSAGE_LEN) if(new_message) arrival = new_message usr.log_message("updated the arrivals announcement to: [new_message]", LOG_GAME) if("NewheadText") - var/new_message = trim(html_encode(param["newText"]), MAX_MESSAGE_LEN) + var/new_message = trim(html_encode(params["newText"]), MAX_MESSAGE_LEN) if(new_message) newhead = new_message usr.log_message("updated the head announcement to: [new_message]", LOG_GAME) if("node_message") - var/new_message = trim(html_encode(param["newText"]), MAX_MESSAGE_LEN) + var/new_message = trim(html_encode(params["newText"]), MAX_MESSAGE_LEN) if(new_message) node_message = new_message usr.log_message("updated the researched node announcement to: [node_message]", LOG_GAME) diff --git a/code/game/machinery/medical_kiosk.dm b/code/game/machinery/medical_kiosk.dm index ed060593f66..4935749b459 100644 --- a/code/game/machinery/medical_kiosk.dm +++ b/code/game/machinery/medical_kiosk.dm @@ -375,7 +375,7 @@ data["active_status_4"] = scan_active & KIOSK_SCANNING_REAGENTS // Reagents/hallucination Scan Check return data -/obj/machinery/medical_kiosk/ui_act(action,active) +/obj/machinery/medical_kiosk/ui_act(action, list/params, datum/tgui/ui, datum/ui_state/state) . = ..() if(.) return diff --git a/code/game/objects/structures/windoor_assembly.dm b/code/game/objects/structures/windoor_assembly.dm index 93c8c6bd32e..9ea599be131 100644 --- a/code/game/objects/structures/windoor_assembly.dm +++ b/code/game/objects/structures/windoor_assembly.dm @@ -321,7 +321,7 @@ if(created_name) windoor.name = created_name else if(electronics.passed_name) - windoor.name = electronics.passed_name + windoor.name = sanitize(electronics.passed_name) if(electronics.one_access) windoor.req_one_access = electronics.accesses else diff --git a/code/modules/antagonists/_common/antag_spawner.dm b/code/modules/antagonists/_common/antag_spawner.dm index 741bdeeed7b..574e08f9753 100644 --- a/code/modules/antagonists/_common/antag_spawner.dm +++ b/code/modules/antagonists/_common/antag_spawner.dm @@ -47,10 +47,17 @@ /obj/item/antag_spawner/contract/ui_act(action, list/params, datum/tgui/ui, datum/ui_state/state) . = ..() - if(used || polling || !ishuman(usr)) + if(.) return - INVOKE_ASYNC(src, PROC_REF(poll_for_student), usr, params["school"]) - SStgui.close_uis(src) + switch(action) + if("buy") + if(used || polling || !ishuman(ui.user)) + return + var/selected_school = params["school"] + if(!(selected_school in ALL_APPRENTICE_TYPES)) + return + INVOKE_ASYNC(src, PROC_REF(poll_for_student), ui.user, params["school"]) + SStgui.close_uis(src) /obj/item/antag_spawner/contract/proc/poll_for_student(mob/living/carbon/human/teacher, apprentice_school) balloon_alert(teacher, "contacting apprentice...") diff --git a/code/modules/wiremod/core/integrated_circuit.dm b/code/modules/wiremod/core/integrated_circuit.dm index a802e27d532..fea8374fe77 100644 --- a/code/modules/wiremod/core/integrated_circuit.dm +++ b/code/modules/wiremod/core/integrated_circuit.dm @@ -720,7 +720,7 @@ GLOBAL_LIST_EMPTY_TYPED(integrated_circuits, /obj/item/integrated_circuit) /// Sets the display name that appears on the shell. /obj/item/integrated_circuit/proc/set_display_name(new_name) - display_name = copytext(new_name, 1, label_max_length) + display_name = copytext_char(new_name, 1, label_max_length) if(!shell) return