joshuafhiggins/connect4-moderator-observer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 8 Activity

feat: add admin award winner command #13

Merged
remhelper merged 2 commits from feature/admin-award-winner into master 2026-03-06 05:25:29 +00:00
Conversation 1 Commits 2 Files Changed 1 +7 -1
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
scripts/Connection.cs
View File

@@ -208,6 +208,12 @@ public partial class Connection : Node {
sendCommand("GAME", "TERMINATE:" + matchID);
}
public void AwardGameWinner(int matchID, string winnerUsername) {
if (!IsAdmin) return;
if (string.IsNullOrWhiteSpace(winnerUsername)) return;
sendCommand("GAME", "AWARD:" + matchID + ":" + winnerUsername.Trim());
copilot-pull-request-reviewer[bot] commented 2026-03-06 04:25:03 +00:00 (Migrated from github.com)
Review
Copy Link

winnerUsername is inserted into a colon-delimited wire format ("GAME:AWARD::"). If the username contains : it will change the segment structure and can lead to malformed commands / protocol injection. Consider trimming into a local variable and rejecting (or escaping) reserved delimiter characters like : (consistent with SendConnect, which blocks : in the client id).

    var trimmedWinnerUsername = winnerUsername.Trim();
    if (trimmedWinnerUsername.Contains(":")) {
      GD.PushError("AwardGame: winner username contains invalid ':' character and will not be sent.");
      return;
    }
    sendCommand("GAME", "AWARD:" + matchID + ":" + trimmedWinnerUsername);
`winnerUsername` is inserted into a colon-delimited wire format ("GAME:AWARD:<matchID>:<username>"). If the username contains `:` it will change the segment structure and can lead to malformed commands / protocol injection. Consider trimming into a local variable and rejecting (or escaping) reserved delimiter characters like `:` (consistent with `SendConnect`, which blocks `:` in the client id). ```suggestion var trimmedWinnerUsername = winnerUsername.Trim(); if (trimmedWinnerUsername.Contains(":")) { GD.PushError("AwardGame: winner username contains invalid ':' character and will not be sent."); return; } sendCommand("GAME", "AWARD:" + matchID + ":" + trimmedWinnerUsername); ```
}
public void SetMoveWait(float waitTime) {
if (!IsAdmin) return;
CurrentWaitTimeout = waitTime;