added object id validation, see #22

an id may only contain a-z 0-9 _ and must start with a-z all chars must be lowercase
2023-01-25 23:25:13 +01:00 · 2023-01-25 23:25:13 +01:00 · 1d250f28f8
Commit 1d250f28f8
--- a/server/src/core/idobject.cpp
+++ b/server/src/core/idobject.cpp
@ -1,7 +1,7 @@
 /**
- * Traintastic
+ * server/src/core/idobject.cpp
 *
- * Copyright (C) 2019-2022 Reinder Feenstra
+ * Copyright (C) 2019-2023 Reinder Feenstra
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
@ -22,6 +22,7 @@
 #include "../traintastic/traintastic.hpp"
 #include "../world/getworld.hpp"
 #include "attributes.hpp"
+#include "isvalidobjectid.hpp"
 #include "../utils/displayname.hpp"

 IdObject::IdObject(World& world, std::string_view _id) :
@ -33,6 +34,8 @@ IdObject::IdObject(World& world, std::string_view _id) :
    },
    [this](std::string& value)
    {
+      if(!isValidObjectId(value))
+        throw invalid_value_error();
      auto& m = m_world.m_objects;
      if(m.find(value) != m.end())
        return false;
--- a/server/src/core/isvalidobjectid.cpp
+++ b/server/src/core/isvalidobjectid.cpp
@ -0,0 +1,30 @@
+/**
+ * server/src/core/isvalidobjectid.cpp
+ *
+ * This file is part of the traintastic source code.
+ *
+ * Copyright (C) 2023 Reinder Feenstra
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+#include "isvalidobjectid.hpp"
+#include <regex>
+
+bool isValidObjectId(std::string_view id)
+{
+  static const std::regex re{"[a-z][a-z0-9_]*", };
+  return std::regex_match(id.begin(), id.end(), re);
+}
--- a/server/src/core/isvalidobjectid.hpp
+++ b/server/src/core/isvalidobjectid.hpp
@ -0,0 +1,30 @@
+/**
+ * server/src/core/isvalidobjectid.hpp
+ *
+ * This file is part of the traintastic source code.
+ *
+ * Copyright (C) 2023 Reinder Feenstra
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+#ifndef TRAINTASTIC_SERVER_CORE_ISVALIDOBJECTID_HPP
+#define TRAINTASTIC_SERVER_CORE_ISVALIDOBJECTID_HPP
+
+#include <string_view>
+
+bool isValidObjectId(std::string_view id);
+
+#endif
--- a/server/src/world/worldloader.cpp
+++ b/server/src/world/worldloader.cpp
@ -3,7 +3,7 @@
 *
 * This file is part of the traintastic source code.
 *
- * Copyright (C) 2019-2022 Reinder Feenstra
+ * Copyright (C) 2019-2023 Reinder Feenstra
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
@ -26,6 +26,7 @@
 #include <boost/uuid/string_generator.hpp>
 #include <boost/uuid/uuid_io.hpp>
 #include "world.hpp"
+#include "../core/isvalidobjectid.hpp"
 #include "../utils/startswith.hpp"
 #include "../utils/stripsuffix.hpp"
 #include "ctwreader.hpp"
@ -167,7 +168,12 @@ void WorldLoader::load()
  for(json object : data["objects"])
  {
    if(auto it = object.find("id"); it != object.end())
-      m_objects.insert({it.value().get<std::string>(), {object, nullptr, false}});
+    {
+      auto id = it.value().get<std::string>();
+      if(!isValidObjectId(id))
+        throw std::runtime_error("invalid object id value");
+      m_objects.insert({std::move(id), {object, nullptr, false}});
+    }
    else
      throw std::runtime_error("id missing");
  }