Skip to content

security: harden input validation and add rate limiting#16

Open
cryptochris8 wants to merge 1 commit intohytopiagg:mainfrom
cryptochris8:security/input-validation-hardening
Open

security: harden input validation and add rate limiting#16
cryptochris8 wants to merge 1 commit intohytopiagg:mainfrom
cryptochris8:security/input-validation-hardening

Conversation

@cryptochris8
Copy link
Copy Markdown

@cryptochris8 cryptochris8 commented Mar 4, 2026

Summary

Comprehensive security hardening of the networking stack based on a full audit of the protocol schemas and server/client networking code. Includes a detailed audit report (SECURITY_AUDIT_REPORT.md) documenting all 12 findings.

Fixes applied (7):

  • Chat message length limit (protocol/schemas/ChatMessage.ts) — prevents bandwidth amplification via unbounded messages
  • UI data size limit (protocol/schemas/UIData.ts) — prevents memory exhaustion from oversized JSON payloads
  • Camera angle bounds (protocol/schemas/Input.ts) — clamps pitch/yaw to ±2π, preventing NaN/Infinity physics corruption
  • Per-connection rate limiting (server/src/networking/Connection.ts) — 200 packets/sec sliding window, disconnects flooders
  • Shared buffer corruption fix (server/src/networking/Connection.ts) — Buffer.from() copy prevents msgpackr buffer reuse bugs
  • Path traversal hardening (server/src/networking/WebServer.ts) — iterative URL decode + backslash rejection
  • Auth timeout (server/src/networking/Socket.ts) — 5-second timeout on unauthenticated WebSocket connections
  • Decompression bomb protection (client/src/network/NetworkManager.ts) — 64MB gzip decompression limit

Test plan

  • Verify chat messages over 500 chars are rejected by schema validation
  • Verify connections exceeding 200 packets/sec are disconnected
  • Verify double-encoded path traversal attempts (e.g. %252e%252e) return 400
  • Verify unauthenticated WebSocket connections are closed after 5 seconds
  • Verify normal gameplay is unaffected by the new limits

🤖 Generated with Claude Code

@claude
security: harden input validation and add rate limiting
ca7b177 
Address multiple security vulnerabilities identified in community audit:

- ChatMessage: add maxLength (500) to prevent amplification attacks
- UIData: add maxProperties (100) to prevent memory exhaustion
- Input: add min/max bounds on camera angles to prevent NaN/Infinity
- Connection: add per-connection rate limiting (200 packets/sec)
- Connection: copy msgpackr buffer to prevent shared buffer corruption
- WebServer: strengthen path traversal with iterative URL decoding
- Socket: add 5-second authentication timeout
- NetworkManager: add 64MB gzip decompression limit

Includes SECURITY_AUDIT_REPORT.md with full findings documentation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cryptochris8