1.5 Milestone: Security audit #107
Labels
enhancement
New feature or request
Comments
|
the entire codebase isn't that big, so I think it would be healthy to take both of us a glance and create issue for each potential threat |
|
I totally agree. |
|
Adding 1.4 since I think 1.3 will be an intermediary release and we definitely won't worry about any networking here. |
marekmaskarinec
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The engine needs a lot of security auditing. It currently doesn't support networking, so it's not a big threat. But it's important to crack down on all the security holes at once, before we scale the code further.
Example of a security threat: https://github.com/marekmaskarinec/tophat/blob/520907a859a875c6bb07ff34547c2124bcb6e25c/src/bindings.c#L26
I would take a look at the entire repository right now, and look for all possible holes, perhaps using tooling like static analyzers and dynamic analyzers.
This is really important - if netcode extension gets developed, or networking gets added into tophat, it would potentially allow doing arbitrary code in case of stack smashing like in example above.
Netcode may be far ahead, but I think it's important to take measures.
The text was updated successfully, but these errors were encountered: