martyn/townsquare
1
0
Fork 0
mirror of https://github.com/bra1n/townsquare.git synced 2026-03-02 22:32:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: restrict WebSocket message routing to prevent non-host room disruption

Browse source 
Non-host players could broadcast arbitrary messages (e.g. empty gamestate)
to all other players via the server's default and direct message handlers,
effectively allowing them to dissolve the room. Apply the same host-check
pattern already used for ping messages to both handlers, ensuring
player messages only reach the host and never other players.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
xxu 2026-02-17 01:38:45 +09:00
parent d9c2b17dc9
commit 68e298fe27
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
server/index.js
View file

@ -185,6 +185,7 @@ wss.on("connection", function connection(ws, req) {
if ( if (
client !== ws && client !== ws &&
client.readyState === WebSocket.OPEN && client.readyState === WebSocket.OPEN &&
(ws.playerId === "host" || client.playerId === "host") &&
dataToPlayer[client.playerId] dataToPlayer[client.playerId]
) { ) {
client.send(JSON.stringify(dataToPlayer[client.playerId])); client.send(JSON.stringify(dataToPlayer[client.playerId]));
@ -205,7 +206,11 @@ wss.on("connection", function connection(ws, req) {
data data
); );
channels[ws.channel].forEach(function each(client) { channels[ws.channel].forEach(function each(client) {
if (client !== ws && client.readyState === WebSocket.OPEN) { if (
client !== ws &&
client.readyState === WebSocket.OPEN &&
(ws.playerId === "host" || client.playerId === "host")
) {
client.send(data); client.send(data);
metrics.messages_outgoing.inc(); metrics.messages_outgoing.inc();
} }