diff --git a/lua/ui/lobby/lobby.lua b/lua/ui/lobby/lobby.lua index ffaf12f159..f7e3c86b71 100644 --- a/lua/ui/lobby/lobby.lua +++ b/lua/ui/lobby/lobby.lua @@ -5210,11 +5210,61 @@ local MessageHandlers = { }, AddPlayer = { + + ---@class LobbyAddPlayerData + ---@field PlayerOptions PlayerData + ---@field SenderId number + ---@field SenderName string + ---@field Type string + + ---@param data LobbyAddPlayerData Accept = function(data) - return data.PlayerOptions.OwnerID and - data.PlayerOptions.OwnerID == data.SenderID and - not FindNameForID(data.SenderID) and - lobbyComm:IsHost() + -- we need to do quite a bit of checks to prevent malicious values + if type(data.PlayerOptions.MEAN) != 'number' then + return false + end + + if type (data.PlayerOptions.NG) != 'number' then + return false + end + + if type(data.PlayerOptions.Faction) != 'number' then + return false + end + + if type(data.PlayerOptions.PlayerName) != 'string' then + return false + end + + local charactersInPlayerName = string.len(data.PlayerOptions.PlayerName) + if charactersInPlayerName < 3 or charactersInPlayerName > 32 then + return false + end + + if data.PlayerOptions.PlayerClan then + if type(data.PlayerOptions.PlayerClan) != 'string' then + return false + end + + if string.len(data.PlayerOptions.PlayerClan) > 3 then + return false + end + end + + + if not data.PlayerOptions.OwnerID then + return false + end + + if not (data.PlayerOptions.OwnerID == data.SenderID) then + return false + end + + if FindNameForID(data.SenderID) then + return false + end + + return lobbyComm:IsHost() end, Reject = function(data) lobbyComm:EjectPeer(data.SenderID, "Invalid player data.")