Perform input validation on DAP requests#115285
Open
rsubtil wants to merge 3 commits intogodotengine:masterfrom
Open
Perform input validation on DAP requests#115285rsubtil wants to merge 3 commits intogodotengine:masterfrom
rsubtil wants to merge 3 commits intogodotengine:masterfrom
Conversation
| } | ||
|
|
||
| Array breakpoints = args["breakpoints"], lines; | ||
| Array breakpoints = args.get("breakpoints", Array()), lines; |
Member
There was a problem hiding this comment.
Suggested change
| Array breakpoints = args.get("breakpoints", Array()), lines; | |
| Array breakpoints = args.get("breakpoints", Array()); | |
| Array lines; |
While we're here
Member
Author
There was a problem hiding this comment.
Actually there are still a lot of instances of this in DAP, so I can go ahead and fix all of them in one go.
| if (!response["success"]) { | ||
| response["command"] = p_params["command"]; | ||
| if (!(bool)response.get("success", false)) { | ||
| response["command"] = p_params["command"]; // No need to validate if "command" exists; this is done when any request is received |
Member
There was a problem hiding this comment.
Suggested change
| response["command"] = p_params["command"]; // No need to validate if "command" exists; this is done when any request is received | |
| response["command"] = p_params["command"]; // No need to validate that "command" exists; this is done when any request is received. |
rsubtil
force-pushed
the
fix-dap_unsafe_access
branch
from
b99e27c to
3027e56
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #115279
Recent changes in Godot revealed a bad implementation of the DAP specification, where we tried to always access the
checksumsproperty of DAP::Source objects, when these are actually optional.To fix this and prevent other scenarios like these, the whole implementation was reviewed (similar to #111684, #112128), handling input validation at two levels:
VALIDATE_KEYtests the key existence and the expected type. If the check fails, an error is logged in Godot (ERR_FAIL) and a DAP::ErrorRequest with error typeMALFORMED_REQUESTis sent, both with information on the failed validation step.?), changed Dictionary access to the safeget()call with default values.