fix: security vulnerabilities (#1980)

* fix: security vulnerabilities Tested that all functions related to the touched files work will test sqlite on a CI build * fix failing test * ai feedback * add buffer size checking * use c_str * dont log session key * Try this for a mac definition * be quiet apple
2026-06-09 00:04:22 +00:00 · 2026-06-07 20:59:11 -07:00
parent f6c9a27a2b
commit a156a8fcba
109 changed files with 806 additions and 514 deletions
--- a/dDatabase/GameDatabase/MySQL/MySQLDatabase.h
+++ b/dDatabase/GameDatabase/MySQL/MySQLDatabase.h
@@ -127,7 +127,7 @@ public:
 	std::string GetBehavior(const LWOOBJID behaviorId) override;
 	void RemoveBehavior(const LWOOBJID characterId) override;
 	void UpdateAccountGmLevel(const uint32_t accountId, const eGameMasterLevel gmLevel) override;
-	std::optional<IProperty::PropertyEntranceResult> GetProperties(const IProperty::PropertyLookup& params) override;
+	IProperty::PropertyEntranceResult GetProperties(const IProperty::PropertyLookup& params) override;
 	std::vector<ILeaderboard::Entry> GetDescendingLeaderboard(const uint32_t activityId) override;
 	std::vector<ILeaderboard::Entry> GetAscendingLeaderboard(const uint32_t activityId) override;
 	std::vector<ILeaderboard::Entry> GetNsLeaderboard(const uint32_t activityId) override;
--- a/dDatabase/GameDatabase/MySQL/Tables/Mail.cpp
+++ b/dDatabase/GameDatabase/MySQL/Tables/Mail.cpp
@@ -48,7 +48,7 @@ std::vector<MailInfo> MySQLDatabase::GetMailForPlayer(const LWOOBJID characterId
 }

 std::optional<MailInfo> MySQLDatabase::GetMail(const uint64_t mailId) {
-	auto res = ExecuteSelect("SELECT attachment_lot, attachment_count FROM mail WHERE id=? LIMIT 1;", mailId);
+	auto res = ExecuteSelect("SELECT attachment_lot, attachment_count, receiver_id FROM mail WHERE id=? LIMIT 1;", mailId);

 	if (!res->next()) {
 		return std::nullopt;
@@ -57,6 +57,7 @@ std::optional<MailInfo> MySQLDatabase::GetMail(const uint64_t mailId) {
 	MailInfo toReturn;
 	toReturn.itemLOT = res->getInt("attachment_lot");
 	toReturn.itemCount = res->getInt("attachment_count");
+	toReturn.receiverId = res->getUInt64("receiver_id");

 	return toReturn;
 }
--- a/dDatabase/GameDatabase/MySQL/Tables/Property.cpp
+++ b/dDatabase/GameDatabase/MySQL/Tables/Property.cpp
@@ -18,8 +18,8 @@ IProperty::Info ReadPropertyInfo(PreparedStmtResultSet& result) {
 	return info;
 }

-std::optional<IProperty::PropertyEntranceResult> MySQLDatabase::GetProperties(const IProperty::PropertyLookup& params) {
-	std::optional<IProperty::PropertyEntranceResult> result;
+IProperty::PropertyEntranceResult MySQLDatabase::GetProperties(const IProperty::PropertyLookup& params) {
+	IProperty::PropertyEntranceResult result;
 	std::string query;
 	PreparedStmtResultSet properties;

@@ -73,8 +73,7 @@ std::optional<IProperty::PropertyEntranceResult> MySQLDatabase::GetProperties(co
 			params.playerId
 		);
 		if (count->next()) {
-			if (!result) result = IProperty::PropertyEntranceResult();
-			result->totalEntriesMatchingQuery = count->getUInt("count");
+			result.totalEntriesMatchingQuery = count->getUInt("count");
 		}
 	} else {
 		if (params.sortChoice == SORT_TYPE_REPUTATION) {
@@ -127,14 +126,12 @@ std::optional<IProperty::PropertyEntranceResult> MySQLDatabase::GetProperties(co
 			params.playerSort
 		);
 		if (count->next()) {
-			if (!result) result = IProperty::PropertyEntranceResult();
-			result->totalEntriesMatchingQuery = count->getUInt("count");
+			result.totalEntriesMatchingQuery = count->getUInt("count");
 		}
 	}

 	while (properties->next()) {
-		if (!result) result = IProperty::PropertyEntranceResult();
-		result->entries.push_back(ReadPropertyInfo(properties));
+		result.entries.push_back(ReadPropertyInfo(properties));
 	}

 	return result;