From 01099fc97c23027cf8e161bec2927a0decc4c44b Mon Sep 17 00:00:00 2001
From: Stanislaw Halik <sthalik@misaki.pl>
Date: Sun, 27 Nov 2022 22:18:52 +0100
Subject: loader: validate atlas names before loading

---
 loader/atlas.cpp | 16 ++++++++++++++++
 loader/impl.hpp  |  1 +
 2 files changed, 17 insertions(+)

(limited to 'loader')

diff --git a/loader/atlas.cpp b/loader/atlas.cpp
index 659f716a..6b5060e7 100644
--- a/loader/atlas.cpp
+++ b/loader/atlas.cpp
@@ -15,6 +15,8 @@ namespace floormat::loader_detail {
 
 std::shared_ptr<tile_atlas> loader_impl::tile_atlas(StringView name, Vector2ub size)
 {
+    fm_assert(check_atlas_name(name));
+
     const emplacer e{[&] { return std::make_shared<struct tile_atlas>(name, texture(IMAGE_PATH, name), size); }};
     auto atlas = tile_atlas_map.try_emplace(name, e).first->second;
     return atlas;
@@ -29,6 +31,8 @@ ArrayView<String> loader_impl::anim_atlas_list()
 
 std::shared_ptr<anim_atlas> loader_impl::anim_atlas(StringView name)
 {
+    fm_assert(check_atlas_name(name));
+
     if (auto it = anim_atlas_map.find(name); it != anim_atlas_map.end())
         return it->second;
     else
@@ -78,4 +82,16 @@ void loader_impl::get_anim_atlas_list()
                 anim_atlases.emplace_back(str.exceptSuffix(std::size(".json")-1));
 }
 
+bool loader_impl::check_atlas_name(StringView str)
+{
+    if (str.isEmpty())
+        return false;
+    if (str.findAny("\\<>&;:'\" ") || str.find("/."))
+        return false;
+    if (str[0] == '.' || str[0] == '/')
+        return false;
+
+    return true;
+}
+
 } // namespace floormat::loader_detail
diff --git a/loader/impl.hpp b/loader/impl.hpp
index 343d3ee1..04b9733f 100644
--- a/loader/impl.hpp
+++ b/loader/impl.hpp
@@ -37,6 +37,7 @@ struct loader_impl final : loader_
     static anim_def deserialize_anim(StringView filename);
     static void system_init();
     static bool chdir(StringView pathname);
+    [[nodiscard]] static bool check_atlas_name(StringView name);
     void ensure_plugins();
 
     explicit loader_impl();
-- 
cgit v1.2.3