From 971c92b21a51f5e97a42e4e250c5d7f6bc842ba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20V=C3=B6gele?= Date: Mon, 26 Apr 2021 12:31:54 +0200 Subject: [PATCH] Ignore responses from users that aren't recipients of the original request --- src/socketlib.js | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/socketlib.js b/src/socketlib.js index 48dcc9a..4598f05 100644 --- a/src/socketlib.js +++ b/src/socketlib.js @@ -161,7 +161,7 @@ class SocketlibSocket { const message = {handlerName, args, recipient}; message.id = randomID(); message.type = MESSAGE_TYPES.REQUEST; - const promise = new Promise((resolve, reject) => this.pendingRequests.set(message.id, {handlerName, resolve, reject})); + const promise = new Promise((resolve, reject) => this.pendingRequests.set(message.id, {handlerName, resolve, reject, recipient})); game.socket.emit(this.socketName, message); return promise; } @@ -270,7 +270,11 @@ class SocketlibSocket { const request = this.pendingRequests.get(id); if (!request) return; - // TODO Verify if the response comes from the correct sender, discard otherwise + if (!this._isResponseSenderValid(senderId, request.recipient)) { + console.warn("socketlib | Dropped a response that was received from the wrong user. This means that either someone is inserting messages into the socket or this is a socketlib issue. If the latter is the case please file a bug report in the socketlib repository.") + console.info(senderId, request.recipient); + return; + } switch (type) { case MESSAGE_TYPES.RESULT: request.resolve(result); @@ -287,6 +291,14 @@ class SocketlibSocket { } this.pendingRequests.delete(id); } + + _isResponseSenderValid(senderId, recipients) { + if (recipients === RECIPIENT_TYPES.ONE_GM && game.users.get(senderId).isGM) + return true; + if (recipients instanceof Array && recipients.includes(senderId)) + return true; + return false; + } } function isResponsibleGM() {