From 9f575bd416e1f7afbd11d4b221074f34bb89605c Mon Sep 17 00:00:00 2001 From: Dan Engelbrecht Date: Thu, 4 Sep 2025 13:17:25 +0200 Subject: add validation of compact binary payloads before reading them (#483) * add validation of compact binary payloads before reading them --- src/zencore/compactbinaryutil.cpp | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 src/zencore/compactbinaryutil.cpp (limited to 'src/zencore/compactbinaryutil.cpp') diff --git a/src/zencore/compactbinaryutil.cpp b/src/zencore/compactbinaryutil.cpp new file mode 100644 index 000000000..c8cde21c3 --- /dev/null +++ b/src/zencore/compactbinaryutil.cpp @@ -0,0 +1,33 @@ +// Copyright Epic Games, Inc. All Rights Reserved. + +#include + +#include +#include + +namespace zen { + +CbObject +ValidateAndReadCompactBinaryObject(const SharedBuffer&& Payload, CbValidateError& OutError) +{ + if (Payload.GetSize() > 0) + { + if (OutError = ValidateCompactBinary(Payload.GetView(), CbValidateMode::Default); OutError == CbValidateError::None) + { + return CbObject(std::move(Payload)); + } + } + return CbObject(); +} + +CbObject +ValidateAndReadCompactBinaryObject(const CompressedBuffer&& Payload, CbValidateError& OutError) +{ + if (CompositeBuffer Decompressed = Payload.DecompressToComposite()) + { + return ValidateAndReadCompactBinaryObject(std::move(Decompressed).Flatten(), OutError); + } + return CbObject(); +} + +} // namespace zen -- cgit v1.2.3 From 347153218dd09e3806e5b27eb51f538768f27035 Mon Sep 17 00:00:00 2001 From: Dan Engelbrecht Date: Fri, 26 Sep 2025 10:26:34 +0200 Subject: new append op rpc method (#511) - Feature: New `/prj/{project}/{oplog}/rpc` endpoint method `appendops` to send an array of oplog ops and receiving a list of `need` for attachments not present - Feature: Added `usingtmpfiles` boolean field to `/prj/{project}/{oplog}/rpc` method `putchunks` to be explicit about allowing move of temp attachment files - Improvement: Added additional validation of compact binary objects when reading from disk/receiving from client - Improvement: Windows: Added fallback code to use standard `MoveFile` api when rename via `SetFileInformationByHandle` fails in `MoveToFile` (used by filecas) --- src/zencore/compactbinaryutil.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/zencore/compactbinaryutil.cpp') diff --git a/src/zencore/compactbinaryutil.cpp b/src/zencore/compactbinaryutil.cpp index c8cde21c3..074bdaffd 100644 --- a/src/zencore/compactbinaryutil.cpp +++ b/src/zencore/compactbinaryutil.cpp @@ -14,7 +14,13 @@ ValidateAndReadCompactBinaryObject(const SharedBuffer&& Payload, CbValidateError { if (OutError = ValidateCompactBinary(Payload.GetView(), CbValidateMode::Default); OutError == CbValidateError::None) { - return CbObject(std::move(Payload)); + CbObject Object(std::move(Payload)); + if (Object.GetView().GetSize() != Payload.GetSize()) + { + OutError |= CbValidateError::OutOfBounds; + return {}; + } + return Object; } } return CbObject(); -- cgit v1.2.3