fix: security vulnerabilities

Tested that all functions related to the touched files work will test sqlite on a CI build
2026-06-08 15:54:22 +00:00 · 2026-06-06 23:13:09 -07:00
parent 8e09ffd6e8
commit fb166bd24d
107 changed files with 786 additions and 512 deletions
--- a/dScripts/02_server/Map/AM/AmSkullkinDrill.cpp
+++ b/dScripts/02_server/Map/AM/AmSkullkinDrill.cpp
@@ -36,13 +36,14 @@ void AmSkullkinDrill::OnStartup(Entity* self) {
 Entity* AmSkullkinDrill::GetStandObj(Entity* self) {
 	const auto& myGroup = self->GetGroups();

-	if (myGroup.empty()) {
+	if (myGroup.empty() || myGroup[0].empty()) {
 		return nullptr;
 	}
+	const auto& group = myGroup[0];

 	std::string groupName = "Drill_Stand_";

-	groupName.push_back(myGroup[0][myGroup[0].size() - 1]);
+	groupName.push_back(group.back());

 	const auto standObjs = Game::entityManager->GetEntitiesInGroup(groupName);

--- a/dScripts/02_server/Map/General/Binoculars.cpp
+++ b/dScripts/02_server/Map/General/Binoculars.cpp
@@ -7,9 +7,14 @@
 void Binoculars::OnUse(Entity* self, Entity* user) {
 	const auto number = self->GetVarAsString(u"number");

-	int32_t flag = std::stoi(std::to_string(Game::server->GetZoneID()).substr(0, 2) + number);
-	if (user->GetCharacter()->GetPlayerFlag(flag) == false) {
-		user->GetCharacter()->SetPlayerFlag(flag, true);
+	const int32_t flag = GeneralUtils::TryParse(std::to_string(Game::server->GetZoneID()).substr(0, 2) + number, 0);
+	GameMessages::GetFlag flagMsg;
+	flagMsg.target = user->GetObjectID();
+	flagMsg.flagID = flag;
+	flagMsg.Send();
+	if (!flagMsg.flag) {
+		auto* const character = user->GetCharacter();
+		if (character) character->SetPlayerFlag(flag, true);
 		GameMessages::SendFireEventClientSide(self->GetObjectID(), user->GetSystemAddress(), u"achieve", LWOOBJID_EMPTY, 0, -1, LWOOBJID_EMPTY);
 	}
 }
--- a/dScripts/02_server/Map/General/StoryBoxInteractServer.cpp
+++ b/dScripts/02_server/Map/General/StoryBoxInteractServer.cpp
@@ -33,14 +33,18 @@ void StoryBoxInteractServer::OnUse(Entity* self, Entity* user) {
 	const auto storyText = self->GetVarAsString(u"storyText");
 	if (storyText.length() > 2) {
 		auto storyValue = GeneralUtils::TryParse<uint32_t>(storyText.substr(storyText.length() - 2));
-		if(!storyValue) return;
+		if (!storyValue) return;
 		int32_t boxFlag = self->GetVar<int32_t>(u"altFlagID");
 		if (boxFlag <= 0) {
 			boxFlag = (10000 + Game::server->GetZoneID() + storyValue.value());
 		}
-
-		if (user->GetCharacter()->GetPlayerFlag(boxFlag) == false) {
-			user->GetCharacter()->SetPlayerFlag(boxFlag, true);
+		GameMessages::GetFlag flagMsg;
+		flagMsg.target = user->GetObjectID();
+		flagMsg.flagID = boxFlag;
+		flagMsg.Send();
+		if (!flagMsg.flag) {
+			auto* const character = user->GetCharacter();
+			if (character) user->GetCharacter()->SetPlayerFlag(boxFlag, true);
 			GameMessages::SendFireEventClientSide(self->GetObjectID(), user->GetSystemAddress(), u"achieve", LWOOBJID_EMPTY, 0, -1, LWOOBJID_EMPTY);
 		}
 	}
--- a/dScripts/02_server/Map/NS/NsConcertChoiceBuildManager.cpp
+++ b/dScripts/02_server/Map/NS/NsConcertChoiceBuildManager.cpp
@@ -26,7 +26,8 @@ void NsConcertChoiceBuildManager::SpawnCrate(Entity* self) {
 	const auto splitGroup = GeneralUtils::SplitString(group, '_');
 	if (splitGroup.size() < 2)
 		return;
-	const auto groupNumber = std::stoi(splitGroup.at(1));
+	const auto groupNumber = GeneralUtils::TryParse(splitGroup.at(1), -1);
+	if (groupNumber == -1) return;

 	EntityInfo info{};
 	info.lot = crate.lot;
--- a/dScripts/02_server/Map/NT/NtParadoxPanelServer.cpp
+++ b/dScripts/02_server/Map/NT/NtParadoxPanelServer.cpp
@@ -33,7 +33,8 @@ void NtParadoxPanelServer::OnUse(Entity* self, Entity* user) {

 			const auto flag = self->GetVar<int32_t>(u"flag");

-			player->GetCharacter()->SetPlayerFlag(flag, true);
+			auto* const character = player->GetCharacter();
+			if (character) character->SetPlayerFlag(flag, true);

 			RenderComponent::PlayAnimation(player, u"rebuild-celebrate");

--- a/dScripts/02_server/Map/Property/AG_Small/ZoneAgProperty.cpp
+++ b/dScripts/02_server/Map/Property/AG_Small/ZoneAgProperty.cpp
@@ -413,7 +413,8 @@ void ZoneAgProperty::BaseOnFireEventServerSide(Entity* self, Entity* sender, std
 		if (player == nullptr)
 			return;

-		player->GetCharacter()->SetPlayerFlag(self->GetVar<int32_t>(defeatedProperyFlag), true);
+		auto* const character = player->GetCharacter();
+		if (character) character->SetPlayerFlag(self->GetVar<int32_t>(defeatedProperyFlag), true);
 		GameMessages::SendNotifyClientObject(self->GetObjectID(), u"PlayCinematic", 0, 0,
 			LWOOBJID_EMPTY, destroyedCinematic, UNASSIGNED_SYSTEM_ADDRESS);

--- a/dScripts/02_server/Map/VE/VeMissionConsole.cpp
+++ b/dScripts/02_server/Map/VE/VeMissionConsole.cpp
@@ -15,7 +15,7 @@ void VeMissionConsole::OnUse(Entity* self, Entity* user) {

 	// The flag to set is 101<number>
 	const auto flagNumber = self->GetVar<std::u16string>(m_NumberVariable);
-	const int32_t flag = std::stoi("101" + GeneralUtils::UTF16ToWTF8(flagNumber));
+	const int32_t flag = GeneralUtils::TryParse("101" + GeneralUtils::UTF16ToWTF8(flagNumber), 0);

 	auto* character = user->GetCharacter();
 	if (character != nullptr) {
--- a/dScripts/02_server/Map/njhub/CavePrisonCage.cpp
+++ b/dScripts/02_server/Map/njhub/CavePrisonCage.cpp
@@ -13,7 +13,10 @@ void CavePrisonCage::OnStartup(Entity* self) {
 		return;
 	}

-	auto* spawner = Game::zoneManager->GetSpawnersByName("PrisonCounterweight_0" + GeneralUtils::UTF16ToWTF8(myNum))[0];
+	const auto spawners = Game::zoneManager->GetSpawnersByName("PrisonCounterweight_0" + GeneralUtils::UTF16ToWTF8(myNum));
+	if (spawners.empty()) return;
+
+	auto* spawner = spawners[0];

 	self->SetVar<Spawner*>(u"CWSpawner", spawner);

@@ -21,6 +24,7 @@ void CavePrisonCage::OnStartup(Entity* self) {
 }

 void CavePrisonCage::Setup(Entity* self, Spawner* spawner) {
+	if (!spawner) return;
 	SpawnCounterweight(self, spawner);

 	NiPoint3 mypos = self->GetPosition();
@@ -62,6 +66,8 @@ void CavePrisonCage::OnQuickBuildNotifyState(Entity* self, eQuickBuildState stat
 }

 void CavePrisonCage::SpawnCounterweight(Entity* self, Spawner* spawner) {
+	if (!spawner) return;
+
 	spawner->Reset();

 	auto* counterweight = spawner->Spawn();
@@ -164,7 +170,8 @@ void CavePrisonCage::OnTimerDone(Entity* self, std::string timerName) {
 		const auto flagNum = 2020 + self->GetVarAs<int32_t>(u"myNumber");

 		// Set the flag on the builder character
-		builder->GetCharacter()->SetPlayerFlag(flagNum, true);
+		auto* const character = builder->GetCharacter();
+		if (character) character->SetPlayerFlag(flagNum, true);

 		// Setup a timer named 'VillagerEscape' to be triggered in 5 seconds
 		self->AddTimer("VillagerEscape", 5.0f);
--- a/dScripts/02_server/Map/njhub/boss_instance/NjMonastryBossInstance.cpp
+++ b/dScripts/02_server/Map/njhub/boss_instance/NjMonastryBossInstance.cpp
@@ -408,7 +408,7 @@ void NjMonastryBossInstance::SummonWave(Entity* self, Entity* frakjaw) {

 	// Stop the music for the first, fourth and fifth wave
 	const auto wave = self->GetVar<uint32_t>(WaveNumberVariable);
-	if (wave >= 1 || wave < (m_Waves.size() - 1)) {
+	if (wave >= 1 && wave < (m_Waves.size() - 1)) {
 		GameMessages::SendNotifyClientObject(self->GetObjectID(), StopMusicNotification, 0, 0,
 			LWOOBJID_EMPTY, AudioWaveAudio + std::to_string(wave - 1),
 			UNASSIGNED_SYSTEM_ADDRESS);