bug(server): missing input validation on replay header fields #62

New Issue

2026-05-28T01:51:03Z

funman300 commented

2026-05-28 01:51:03 +00:00

Bug

solitaire_server/src/replays.rs stores replay metadata (game mode, player name, duration, move count) from client-submitted JSON without validating field lengths, ranges, or character sets. A malicious client can:

Submit arbitrarily long strings (DoS / storage exhaustion)
Inject special characters into player name / game mode fields
Submit nonsensical values (negative duration, move count in the billions)

Affected file

solitaire_server/src/replays.rs

Fix

Add a validation layer before any database write:

Player name: max 64 chars, printable ASCII/UTF-8 only
Game mode: allowlist of known values (klondike, time_attack, daily)
Duration: must be > 0, reasonable upper bound (e.g. < 86400s)
Move count: must be >= 0, reasonable upper bound

Return 400 Bad Request with a descriptive error message on validation failure.

## Bug `solitaire_server/src/replays.rs` stores replay metadata (game mode, player name, duration, move count) from client-submitted JSON without validating field lengths, ranges, or character sets. A malicious client can: - Submit arbitrarily long strings (DoS / storage exhaustion) - Inject special characters into player name / game mode fields - Submit nonsensical values (negative duration, move count in the billions) ## Affected file `solitaire_server/src/replays.rs` ## Fix Add a validation layer before any database write: - Player name: max 64 chars, printable ASCII/UTF-8 only - Game mode: allowlist of known values (`klondike`, `time_attack`, `daily`) - Duration: must be > 0, reasonable upper bound (e.g. < 86400s) - Move count: must be >= 0, reasonable upper bound Return `400 Bad Request` with a descriptive error message on validation failure.

funman300 added the bug security server labels 2026-05-28 01:51:03 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: funman300/Ferrous-Solitaire#62