From 541f86c116e86a967cb06d12572bd2e522a9156b Mon Sep 17 00:00:00 2001 From: rootdarkarchon Date: Mon, 23 Jan 2023 09:34:57 +0100 Subject: [PATCH 1/3] block anything from user data that is not allowed to be synced --- .../MareSynchronosServer/Hubs/MareHub.User.cs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs b/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs index e985009..76b8782 100644 --- a/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs +++ b/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs @@ -114,6 +114,8 @@ public partial class MareHub [GeneratedRegex(@"^([a-z0-9_ '+&,\.\-\{\}]+\/)+([a-z0-9_ '+&,\.\-\{\}]+\.[a-z]{3,4})$", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.ECMAScript)] private static partial Regex GamePathRegex(); + private static readonly string[] AllowedExtensionsForGamePaths = { ".mdl", ".tex", ".mtrl", ".tmb", ".pap", ".avfx", ".atex", ".sklb", ".eid", ".phyb", ".scd", ".skp", ".shpk" }; + [Authorize(Policy = "Identified")] public async Task UserPushData(CharacterCacheDto characterCache, List visibleCharacterIds) { @@ -124,8 +126,9 @@ public partial class MareHub List invalidFileSwapPaths = new(); foreach (var replacement in characterCache.FileReplacements.SelectMany(p => p.Value)) { - var invalidPaths = replacement.GamePaths.Where(p => !GamePathRegex().IsMatch(p)).ToArray(); - replacement.GamePaths = replacement.GamePaths.Where(p => GamePathRegex().IsMatch(p)).ToArray(); + var invalidPaths = replacement.GamePaths.Where(p => !GamePathRegex().IsMatch(p)).ToList(); + invalidPaths.AddRange(replacement.GamePaths.Where(p => !AllowedExtensionsForGamePaths.Any(e => p.EndsWith(p, StringComparison.OrdinalIgnoreCase)))); + replacement.GamePaths = replacement.GamePaths.Where(p => !invalidPaths.Contains(p, StringComparer.OrdinalIgnoreCase)).ToArray(); bool validGamePaths = replacement.GamePaths.Any(); bool validHash = string.IsNullOrEmpty(replacement.Hash) || HashRegex().IsMatch(replacement.Hash); bool validFileSwapPath = string.IsNullOrEmpty(replacement.FileSwapPath) || GamePathRegex().IsMatch(replacement.FileSwapPath); From c7f793e82cecd0ba6d1cc3270ddc2ced04d4049a Mon Sep 17 00:00:00 2001 From: rootdarkarchon Date: Mon, 23 Jan 2023 09:35:55 +0100 Subject: [PATCH 2/3] fix linq --- MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs b/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs index 76b8782..c3cca76 100644 --- a/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs +++ b/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs @@ -127,7 +127,7 @@ public partial class MareHub foreach (var replacement in characterCache.FileReplacements.SelectMany(p => p.Value)) { var invalidPaths = replacement.GamePaths.Where(p => !GamePathRegex().IsMatch(p)).ToList(); - invalidPaths.AddRange(replacement.GamePaths.Where(p => !AllowedExtensionsForGamePaths.Any(e => p.EndsWith(p, StringComparison.OrdinalIgnoreCase)))); + invalidPaths.AddRange(replacement.GamePaths.Where(p => !AllowedExtensionsForGamePaths.Any(e => p.EndsWith(e, StringComparison.OrdinalIgnoreCase)))); replacement.GamePaths = replacement.GamePaths.Where(p => !invalidPaths.Contains(p, StringComparer.OrdinalIgnoreCase)).ToArray(); bool validGamePaths = replacement.GamePaths.Any(); bool validHash = string.IsNullOrEmpty(replacement.Hash) || HashRegex().IsMatch(replacement.Hash); From 4932b4a8d9eed5765820949337b0303e8f143f90 Mon Sep 17 00:00:00 2001 From: rootdarkarchon Date: Mon, 23 Jan 2023 17:13:37 +0100 Subject: [PATCH 3/3] fix UserAddPair --- .../MareSynchronosServer/Hubs/MareHub.User.cs | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs b/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs index c3cca76..6de8cfb 100644 --- a/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs +++ b/MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs @@ -177,13 +177,20 @@ public partial class MareHub // grab other user, check if it exists and if a pair already exists var otherUser = await _dbContext.Users.SingleOrDefaultAsync(u => u.UID == uid || u.Alias == uid).ConfigureAwait(false); + if (otherUser == null) + { + await Clients.Caller.Client_ReceiveServerMessage(MessageSeverity.Warning, $"Cannot pair with {uid}, UID does not exist").ConfigureAwait(false); + return; + } + var existingEntry = await _dbContext.ClientPairs.AsNoTracking() .FirstOrDefaultAsync(p => - p.User.UID == UserUID && p.OtherUserUID == uid).ConfigureAwait(false); - if (otherUser == null || existingEntry != null) + p.User.UID == UserUID && p.OtherUserUID == otherUser.UID).ConfigureAwait(false); + + if (existingEntry != null) { - await Clients.Caller.Client_ReceiveServerMessage(MessageSeverity.Warning, $"Cannot pair with {uid}, either already paired or UID does not exist").ConfigureAwait(false); + await Clients.Caller.Client_ReceiveServerMessage(MessageSeverity.Warning, $"Cannot pair with {uid}, already paired").ConfigureAwait(false); return; } @@ -236,7 +243,7 @@ public partial class MareHub var allUserPairs = await GetAllPairedClientsWithPauseState().ConfigureAwait(false); // if the other user has paused the main user and there was no previous group connection don't send anything - if (!otherEntry.IsPaused && allUserPairs.Any(p => string.Equals(p.UID, uid, StringComparison.Ordinal) && p.IsPausedPerGroup is PauseInfo.Paused or PauseInfo.NoConnection)) + if (!otherEntry.IsPaused && allUserPairs.Any(p => string.Equals(p.UID, otherUser.UID, StringComparison.Ordinal) && p.IsPausedPerGroup is PauseInfo.Paused or PauseInfo.NoConnection)) { await Clients.User(user.UID).Client_UserChangePairedPlayer(otherIdent, true).ConfigureAwait(false); await Clients.User(otherUser.UID).Client_UserChangePairedPlayer(userIdent, true).ConfigureAwait(false);