Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Robustness issue in responses to 'request-input' events #173

Closed
Omikhleia opened this issue Jun 25, 2017 · 0 comments
Closed

Robustness issue in responses to 'request-input' events #173

Omikhleia opened this issue Jun 25, 2017 · 0 comments
Assignees
@Omikhleia
Labels
bug test-coverage
Milestone
4.0.0

Comments

@Omikhleia
Copy link
Collaborator

Sort of similar to #171, but for 'request-input' socket events (necessarily requiring a mis-behaving client, so in a sense 'less problematic').

Monkey testing.

Case 1 - Character selection:
A mis-behaving client can crash the game by providing a null or non-string selection.

TypeError: selection.toLowerCase is not a function
    at Socket.emit (...room.js-server\src\controllers\user-controller.js:107:52)

Case 2 - Login, password issue
A mis-behaving client can crash the game by providing a null, undefined or non-string password.

Null password:

TypeError: Cannot read property 'length' of null
    at Pbkdf2.checkPassword (...room.js-server\src\lib\pbkdf2.js:66:26)
    at Socket.emit (...src\controllers\unauthenticated-user-controller.js:94:14)

Non-string password, here an integer:

TypeError: Pass phrase must be a buffer
    at TypeError (native)
    at pbkdf2 (crypto.js:575:20)
    at Object.exports.pbkdf2 (crypto.js:557:10)
    at Pbkdf2.checkPassword (...room.js-server\src\lib\pbkdf2.js:79:12)
    at Socket.emit (...src\controllers\unauthenticated-user-controller.js:94:14)

Case 3 - Login, username issue
A mis-behaving client can crash the game by providing a null, undefined or non-string username.

Null username:

TypeError: Cannot read property 'trim' of null
    at Socket.emit (...src\controllers\unauthenticated-user-controller.js:86:41)

Non-string password, here an integer:

TypeError: username.trim is not a function
    at Socket.emit (...src\controllers\unauthenticated-user-controller.js:86:42)

Case 4 - Create (account creation), username issue
A mis-behaving client can crash the game by providing a null, undefined or non-string username. Same error signatures as previous case, just differing by line numbers.

For a null:

TypeError: Cannot read property 'trim' of null
    at Socket.emit (...src\controllers\unauthenticated-user-controller.js:36:41)

And 36:42 for a non-string (tested with integer), on username.trim too.

Case 5 - Create (account creation), password issue
Username is assumed to be valid and non-existent.
With password = password2= null:

TypeError: Cannot read property 'length' of null
    at Pbkdf2.hashPassword (...room.js-server\src\lib\pbkdf2.js:36:26)
    at Socket.emit (...src\controllers\unauthenticated-user-controller.js:49:14)

And with integer:

TypeError: Pass phrase must be a buffer
    at TypeError (native)
    at pbkdf2 (crypto.js:575:20)
    at Object.exports.pbkdf2 (crypto.js:557:10)
    at Pbkdf2.hashPassword (...room.js-server\src\lib\pbkdf2.js:43:12)
    at Socket.emit (..src\controllers\unauthenticated-user-controller.js:49:14)

Case 6 - Create (character creation), player name issue
Similar issues.
I just threw an empty object {} as response, here, to test with undefined.

TypeError: Cannot read property 'replace' of undefined.
    at Socket.emit (...room.js-server\src\controllers\user-controller.js:53:72)

Doh, feeling like a true monkey... Why haven't I automated those tests ? ':|
@Omikhleia Omikhleia self-assigned this Jun 25, 2017
Omikhleia added a commit that referenced this issue Jun 28, 2017
@Omikhleia
Add robustness check to reques-input responses #173
0a54c23 
Just ensure clients provide the expected response payloads.
@Omikhleia Omikhleia mentioned this issue Jun 28, 2017
Merged
@Omikhleia Omikhleia added this to the 4.0.0 milestone Jun 28, 2017
doughsay added a commit that referenced this issue Jun 30, 2017
@doughsay
Merge pull request #174 from doughsay/173-request-input-robustness
b8eb022 
Add robustness check to request-input responses #173
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Omikhleia Omikhleia

Labels
bug test-coverage
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
1 participant
@Omikhleia