Merge pull request #249 from simoleo89/fix/wired-avatar-condition-payloads

fix(wired): bound avatar condition payloads

Emulator/src/main/java/com/eu/habbo/habbohotel/items/interactions/wired/conditions/WiredConditionHabboHasEffect.java

@@ -18,6 +18,7 @@ import java.util.List;
 public class WiredConditionHabboHasEffect extends InteractionWiredCondition {
     protected static final int QUANTIFIER_ALL = 0;
     protected static final int QUANTIFIER_ANY = 1;
+    protected static final int MAX_EFFECT_ID = 10_000;
 
     public static final WiredConditionType type = WiredConditionType.ACTOR_WEARS_EFFECT;
 
@@ -86,6 +87,7 @@ public class WiredConditionHabboHasEffect extends InteractionWiredCondition {
 
     @Override
     public void loadWiredData(ResultSet set, Room room) throws SQLException {
+        this.onPickUp();
         String wiredData = set.getString("wired_data");
         if (wiredData == null || wiredData.isEmpty()) {
             this.onPickUp();
@@ -171,6 +173,14 @@ public class WiredConditionHabboHasEffect extends InteractionWiredCondition {
         return (value == QUANTIFIER_ANY) ? QUANTIFIER_ANY : QUANTIFIER_ALL;
     }
 
+    protected int normalizeEffectId(int value) {
+        return Math.max(0, Math.min(MAX_EFFECT_ID, value));
+    }
+
+    protected int normalizeUserSource(int value) {
+        return WiredSourceUtil.isDefaultUserSource(value) ? value : WiredSourceUtil.SOURCE_TRIGGER;
+    }
+
     static class JsonData {
         int effectId;
         int userSource;

Emulator/src/main/java/com/eu/habbo/habbohotel/items/interactions/wired/conditions/WiredConditionHabboHasHandItem.java

@@ -18,6 +18,7 @@ import java.util.List;
 public class WiredConditionHabboHasHandItem extends InteractionWiredCondition {
     protected static final int QUANTIFIER_ALL = 0;
     protected static final int QUANTIFIER_ANY = 1;
+    protected static final int MAX_HAND_ITEM_ID = 10_000;
 
     public static final WiredConditionType type = WiredConditionType.ACTOR_HAS_HANDITEM;
 
@@ -171,6 +172,10 @@ public class WiredConditionHabboHasHandItem extends InteractionWiredCondition {
         return (value == QUANTIFIER_ANY) ? QUANTIFIER_ANY : QUANTIFIER_ALL;
     }
 
+    protected int normalizeUserSource(int value) {
+        return WiredSourceUtil.isDefaultUserSource(value) ? value : WiredSourceUtil.SOURCE_TRIGGER;
+    }
+
     static class JsonData {
         int handItemId;
         int userSource;

Emulator/src/main/java/com/eu/habbo/habbohotel/items/interactions/wired/conditions/WiredConditionHabboWearsBadge.java

@@ -20,6 +20,7 @@ import java.util.List;
 public class WiredConditionHabboWearsBadge extends InteractionWiredCondition {
     protected static final int QUANTIFIER_ALL = 0;
     protected static final int QUANTIFIER_ANY = 1;
+    protected static final int MAX_BADGE_CODE_LENGTH = 64;
 
     public static final WiredConditionType type = WiredConditionType.ACTOR_WEARS_BADGE;
 
@@ -37,6 +38,10 @@ public class WiredConditionHabboWearsBadge extends InteractionWiredCondition {
 
     @Override
     public boolean evaluate(WiredContext ctx) {
+        if (ctx == null || ctx.room() == null) {
+            return false;
+        }
+
         Room room = ctx.room();
         List<RoomUnit> targets = WiredSourceUtil.resolveUsers(ctx, this.userSource);
         if (targets.isEmpty()) return false;
@@ -102,6 +107,7 @@ public class WiredConditionHabboWearsBadge extends InteractionWiredCondition {
 
     @Override
     public void loadWiredData(ResultSet set, Room room) throws SQLException {
+        this.onPickUp();
         String wiredData = set.getString("wired_data");
         if (wiredData == null) {
             this.onPickUp();
@@ -181,6 +187,19 @@ public class WiredConditionHabboWearsBadge extends InteractionWiredCondition {
         return (value == QUANTIFIER_ANY) ? QUANTIFIER_ANY : QUANTIFIER_ALL;
     }
 
+    protected String normalizeBadge(String value) {
+        if (value == null) {
+            return "";
+        }
+
+        String normalized = value.trim();
+        return normalized.length() <= MAX_BADGE_CODE_LENGTH ? normalized : normalized.substring(0, MAX_BADGE_CODE_LENGTH);
+    }
+
+    protected int normalizeUserSource(int value) {
+        return WiredSourceUtil.isDefaultUserSource(value) ? value : WiredSourceUtil.SOURCE_TRIGGER;
+    }
+
     static class JsonData {
         String badge;
         int userSource;

Emulator/src/test/java/com/eu/habbo/habbohotel/items/interactions/wired/conditions/WiredConditionAvatarPayloadGuardTest.java

@@ -0,0 +1,47 @@
+package com.eu.habbo.habbohotel.items.interactions.wired.conditions;
+
+import com.eu.habbo.habbohotel.wired.core.WiredSourceUtil;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class WiredConditionAvatarPayloadGuardTest {
+    @Test
+    void effectIdsSourcesAndQuantifiersAreBounded() {
+        WiredConditionHabboHasEffect condition = new WiredConditionHabboHasEffect(1, 1, null, "", 0, 0);
+
+        assertEquals(0, condition.normalizeEffectId(-1));
+        assertEquals(23, condition.normalizeEffectId(23));
+        assertEquals(WiredConditionHabboHasEffect.MAX_EFFECT_ID, condition.normalizeEffectId(Integer.MAX_VALUE));
+        assertEquals(WiredSourceUtil.SOURCE_CLICKED_USER, condition.normalizeUserSource(WiredSourceUtil.SOURCE_CLICKED_USER));
+        assertEquals(WiredSourceUtil.SOURCE_TRIGGER, condition.normalizeUserSource(777));
+        assertEquals(1, condition.normalizeQuantifier(1, 0));
+        assertEquals(0, condition.normalizeQuantifier(5, 0));
+    }
+
+    @Test
+    void handItemIdsSourcesAndQuantifiersAreBounded() {
+        WiredConditionHabboHasHandItem condition = new WiredConditionHabboHasHandItem(1, 1, null, "", 0, 0);
+
+        assertEquals(0, condition.normalizeHandItem(-1));
+        assertEquals(9, condition.normalizeHandItem(9));
+        assertEquals(WiredConditionHabboHasHandItem.MAX_HAND_ITEM_ID, condition.normalizeHandItem(Integer.MAX_VALUE));
+        assertEquals(WiredSourceUtil.SOURCE_SIGNAL, condition.normalizeUserSource(WiredSourceUtil.SOURCE_SIGNAL));
+        assertEquals(WiredSourceUtil.SOURCE_TRIGGER, condition.normalizeUserSource(-44));
+        assertEquals(1, condition.normalizeQuantifier(1));
+        assertEquals(0, condition.normalizeQuantifier(8));
+    }
+
+    @Test
+    void badgeCodesSourcesAndQuantifiersAreBounded() {
+        WiredConditionHabboWearsBadge condition = new WiredConditionHabboWearsBadge(1, 1, null, "", 0, 0);
+
+        assertEquals("", condition.normalizeBadge(null));
+        assertEquals("ADM", condition.normalizeBadge(" ADM "));
+        assertEquals(WiredConditionHabboWearsBadge.MAX_BADGE_CODE_LENGTH, condition.normalizeBadge("x".repeat(200)).length());
+        assertEquals(WiredSourceUtil.SOURCE_SELECTOR, condition.normalizeUserSource(WiredSourceUtil.SOURCE_SELECTOR));
+        assertEquals(WiredSourceUtil.SOURCE_TRIGGER, condition.normalizeUserSource(66));
+        assertEquals(1, condition.normalizeQuantifier(1, 0));
+        assertEquals(0, condition.normalizeQuantifier(3, 0));
+    }
+}