Merge pull request #2804 from WhatIsACore/master

Prevent out of bounds drag drop exploit
keldaanCommunity · Feb 8, 2025 · 9ba0447 · 9ba0447
2 parents c49aba2 + 70edb1b
commit 9ba0447
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/app/rooms/commands/game-commands.ts b/app/rooms/commands/game-commands.ts
@@ -35,7 +35,9 @@ import {
   PORTAL_CAROUSEL_BASE_DURATION,
   PortalCarouselStages,
   StageDuration,
-  SynergyTriggers
+  SynergyTriggers,
+  BOARD_WIDTH,
+  BOARD_SIDE_HEIGHT
 } from "../../types/Config"
 import { Effect } from "../../types/enum/Effect"
 import { BattleResult, GamePhaseState, Team } from "../../types/enum/Game"
@@ -232,8 +234,17 @@ export class OnDragDropCommand extends Command<
     if (player) {
       message.updateItems = false
       const pokemon = player.board.get(detail.id)
-      if (pokemon) {
-        const { x, y } = detail
+      const { x, y } = detail
+
+      if (
+        pokemon &&
+        x != null &&
+        x >= 0 &&
+        x < BOARD_WIDTH &&
+        y != null &&
+        y >= 0 &&
+        y < BOARD_SIDE_HEIGHT
+      ) {
         const dropOnBench = y == 0
         const dropFromBench = isOnBench(pokemon)
 

diff --git a/app/types/Config.ts b/app/types/Config.ts
@@ -12,6 +12,7 @@ export const SCOPE_LENS_MANA = 15
 export const ARMOR_FACTOR = 0.1
 export const BOARD_WIDTH = 8
 export const BOARD_HEIGHT = 6
+export const BOARD_SIDE_HEIGHT = 4 // 0 = bench
 
 export const RarityHpCost: { [key in Rarity]: number } = Object.freeze({
   [Rarity.COMMON]: 1,