From c2bfcd6ef898cd171d3385b7ade6c165111872f8 Mon Sep 17 00:00:00 2001
From: Geoffrey Wu <geoffreywu1000@gmail.com>
Date: Fri, 26 Apr 2024 16:45:56 -0400
Subject: [PATCH] limit multiplayer message lengths

---
 client/multiplayer/room.html |  4 +-
 client/multiplayer/room.js   | 74 +++++++++++++++++++++---------------
 constants.js                 |  2 +-
 server/TossupRoom.js         | 22 +++++------
 4 files changed, 56 insertions(+), 46 deletions(-)

diff --git a/client/multiplayer/room.html b/client/multiplayer/room.html
index 23a64d58f..3de457eac 100644
--- a/client/multiplayer/room.html
+++ b/client/multiplayer/room.html
@@ -207,13 +207,13 @@ <h1 id="funny-toast-text" class="me-auto text-danger"></h1>
                     <form id="answer-form">
                         <!-- User enters answer here -->
                         <div class="input-group d-none my-2" id="answer-input-group">
-                            <input class="form-control" id="answer-input" type="text" placeholder="Enter answer">
+                            <input class="form-control" id="answer-input" type="text" placeholder="Enter answer" maxlength="256">
                             <button class="btn btn-success" id="answer-submit" type="submit">Submit</button>
                         </div>
                     </form>
                     <form id="chat-form">
                         <div class="input-group d-none my-2" id="chat-input-group">
-                            <input class="form-control" id="chat-input" type="text" placeholder="Chat">
+                            <input class="form-control" id="chat-input" type="text" placeholder="Chat" maxlength="256">
                             <button class="btn btn-success" id="chat-submit" type="submit">Submit</button>
                         </div>
                     </form>
diff --git a/client/multiplayer/room.js b/client/multiplayer/room.js
index 6b794ab18..c39290f4d 100644
--- a/client/multiplayer/room.js
+++ b/client/multiplayer/room.js
@@ -75,6 +75,14 @@ socket.onmessage = function (event) {
         socketOnConnectionAcknowledged(data);
         break;
 
+    case 'connection-acknowledged-query':
+        socketOnConnectionAcknowledgedQuery(data);
+        break;
+
+    case 'connection-acknowledged-tossup':
+        socketOnConnectionAcknowledgedTossup(data);
+        break;
+
     case 'end-of-set':
         socketOnEndOfSet(data);
         break;
@@ -292,29 +300,10 @@ const socketOnClearStats = (message) => {
     sortPlayerListGroup();
 };
 
-const socketOnConnectionAcknowledged = async (message) => {
+const socketOnConnectionAcknowledged = (message) => {
     USER_ID = message.userId;
     localStorage.setItem('USER_ID', USER_ID);
 
-    validCategories = message.validCategories || [];
-    validSubcategories = message.validSubcategories || [];
-    validAlternateSubcategories = message.validAlternateSubcategories || [];
-    loadCategoryModal(validCategories, validSubcategories, validAlternateSubcategories);
-
-    updateDifficulties(message.difficulties || []);
-    document.getElementById('set-name').value = message.setName || '';
-    document.getElementById('packet-number').value = arrayToRange(message.packetNumbers) || '';
-
-    maxPacketNumber = await getNumPackets(document.getElementById('set-name').value);
-    if (document.getElementById('set-name').value !== '' && maxPacketNumber === 0) {
-        document.getElementById('set-name').classList.add('is-invalid');
-    }
-
-    tossup = message.tossup;
-    document.getElementById('set-name-info').textContent = message.tossup?.set?.name ?? '';
-    document.getElementById('packet-number-info').textContent = message.tossup?.packet?.number ?? '-';
-    document.getElementById('question-number-info').textContent = message.tossup?.number ?? '-';
-
     document.getElementById('chat').disabled = message.public;
     document.getElementById('toggle-rebuzz').checked = message.rebuzz;
     document.getElementById('toggle-skip').checked = message.skip;
@@ -337,12 +326,6 @@ const socketOnConnectionAcknowledged = async (message) => {
         document.getElementById('set-settings').classList.add('d-none');
     }
 
-    document.getElementById('toggle-powermark-only').disabled = message.selectBySetName;
-    document.getElementById('toggle-standard-only').disabled = message.selectBySetName;
-
-    document.getElementById('toggle-powermark-only').checked = message.powermarkOnly;
-    document.getElementById('toggle-standard-only').checked = message.standardOnly;
-
     switch (message.questionProgress) {
     case 0:
         document.getElementById('next').textContent = 'Start';
@@ -374,11 +357,6 @@ const socketOnConnectionAcknowledged = async (message) => {
         document.getElementById('private-chat-warning').innerHTML = 'This is a permanent room. Some settings have been restricted.';
     }
 
-    $('#slider').slider('values', 0, message.minYear);
-    $('#slider').slider('values', 1, message.maxYear);
-    document.getElementById('year-range-a').textContent = message.minYear;
-    document.getElementById('year-range-b').textContent = message.maxYear;
-
     Object.keys(message.players).forEach(userId => {
         message.players[userId].celerity = message.players[userId].celerity.correct.average;
         players[userId] = message.players[userId];
@@ -392,6 +370,40 @@ const socketOnConnectionAcknowledged = async (message) => {
     sortPlayerListGroup();
 };
 
+const socketOnConnectionAcknowledgedTossup = (message) => {
+    tossup = message.tossup;
+    document.getElementById('set-name-info').textContent = tossup?.set?.name ?? '';
+    document.getElementById('packet-number-info').textContent = tossup?.packet?.number ?? '-';
+    document.getElementById('question-number-info').textContent = tossup?.number ?? '-';
+};
+
+const socketOnConnectionAcknowledgedQuery = async (message) => {
+    validCategories = message.validCategories || [];
+    validSubcategories = message.validSubcategories || [];
+    validAlternateSubcategories = message.validAlternateSubcategories || [];
+    loadCategoryModal(validCategories, validSubcategories, validAlternateSubcategories);
+
+    updateDifficulties(message.difficulties || []);
+    document.getElementById('set-name').value = message.setName || '';
+    document.getElementById('packet-number').value = arrayToRange(message.packetNumbers) || '';
+
+    maxPacketNumber = await getNumPackets(document.getElementById('set-name').value);
+    if (document.getElementById('set-name').value !== '' && maxPacketNumber === 0) {
+        document.getElementById('set-name').classList.add('is-invalid');
+    }
+
+    document.getElementById('toggle-powermark-only').disabled = message.selectBySetName;
+    document.getElementById('toggle-standard-only').disabled = message.selectBySetName;
+
+    document.getElementById('toggle-powermark-only').checked = message.powermarkOnly;
+    document.getElementById('toggle-standard-only').checked = message.standardOnly;
+
+    $('#slider').slider('values', 0, message.minYear);
+    $('#slider').slider('values', 1, message.maxYear);
+    document.getElementById('year-range-a').textContent = message.minYear;
+    document.getElementById('year-range-b').textContent = message.maxYear;
+};
+
 const socketOnEndOfSet = () => {
     window.alert('You have reached the end of the set');
 };
diff --git a/constants.js b/constants.js
index 165d8fa91..7e79b7547 100644
--- a/constants.js
+++ b/constants.js
@@ -109,7 +109,7 @@ const PERMANENT_ROOMS = [
 const COOKIE_MAX_AGE = 1000 * 60 * 60 * 24 * 7; // 7 days
 const ROOM_NAME_MAX_LENGTH = 32;
 const USERNAME_MAX_LENGTH = 32;
-const WEBSOCKET_MAX_PAYLOAD = 1024 * 1024 * 1; // 1 MB
+const WEBSOCKET_MAX_PAYLOAD = 1024 * 10 * 1; // 10 KB
 
 const ADJECTIVES = ['adaptable', 'adept', 'affectionate', 'agreeable', 'alluring', 'amazing', 'ambitious', 'amiable', 'ample', 'approachable', 'awesome', 'blithesome', 'bountiful', 'brave', 'breathtaking', 'bright', 'brilliant', 'capable', 'captivating', 'charming', 'competitive', 'confident', 'considerate', 'courageous', 'creative', 'dazzling', 'determined', 'devoted', 'diligent', 'diplomatic', 'dynamic', 'educated', 'efficient', 'elegant', 'enchanting', 'energetic', 'engaging', 'excellent', 'fabulous', 'faithful', 'fantastic', 'favorable', 'fearless', 'flexible', 'focused', 'fortuitous', 'frank', 'friendly', 'funny', 'generous', 'giving', 'gleaming', 'glimmering', 'glistening', 'glittering', 'glowing', 'gorgeous', 'gregarious', 'gripping', 'hardworking', 'helpful', 'hilarious', 'honest', 'humorous', 'imaginative', 'incredible', 'independent', 'inquisitive', 'insightful', 'kind', 'knowledgeable', 'likable', 'lovely', 'loving', 'loyal', 'lustrous', 'magnificent', 'marvelous', 'mirthful', 'moving', 'nice', 'optimistic', 'organized', 'outstanding', 'passionate', 'patient', 'perfect', 'persistent', 'personable', 'philosophical', 'plucky', 'polite', 'powerful', 'productive', 'proficient', 'propitious', 'qualified', 'ravishing', 'relaxed', 'remarkable', 'resourceful', 'responsible', 'romantic', 'rousing', 'sensible', 'shimmering', 'shining', 'sincere', 'sleek', 'sparkling', 'spectacular', 'spellbinding', 'splendid', 'stellar', 'stunning', 'stupendous', 'super', 'technological', 'thoughtful', 'twinkling', 'unique', 'upbeat', 'vibrant', 'vivacious', 'vivid', 'warmhearted', 'willing', 'wondrous', 'zestful'];
 const ANIMALS = ['aardvark', 'alligator', 'alpaca', 'anaconda', 'ant', 'anteater', 'antelope', 'aphid', 'armadillo', 'baboon', 'badger', 'barracuda', 'bat', 'beaver', 'bedbug', 'bee', 'bird', 'bison', 'bobcat', 'buffalo', 'butterfly', 'buzzard', 'camel', 'carp', 'cat', 'caterpillar', 'catfish', 'cheetah', 'chicken', 'chimpanzee', 'chipmunk', 'cobra', 'cod', 'condor', 'cougar', 'cow', 'coyote', 'crab', 'cricket', 'crocodile', 'crow', 'cuckoo', 'deer', 'dinosaur', 'dog', 'dolphin', 'donkey', 'dove', 'dragonfly', 'duck', 'eagle', 'eel', 'elephant', 'emu', 'falcon', 'ferret', 'finch', 'fish', 'flamingo', 'flea', 'fly', 'fox', 'frog', 'goat', 'goose', 'gopher', 'gorilla', 'hamster', 'hare', 'hawk', 'hippopotamus', 'horse', 'hummingbird', 'husky', 'iguana', 'impala', 'kangaroo', 'lemur', 'leopard', 'lion', 'lizard', 'llama', 'lobster', 'margay', 'monkey', 'moose', 'mosquito', 'moth', 'mouse', 'mule', 'octopus', 'orca', 'ostrich', 'otter', 'owl', 'ox', 'oyster', 'panda', 'parrot', 'peacock', 'pelican', 'penguin', 'perch', 'pheasant', 'pig', 'pigeon', 'porcupine', 'quagga', 'rabbit', 'raccoon', 'rat', 'rattlesnake', 'rooster', 'seal', 'sheep', 'skunk', 'sloth', 'snail', 'snake', 'spider', 'tiger', 'whale', 'wolf', 'wombat', 'zebra'];
diff --git a/server/TossupRoom.js b/server/TossupRoom.js
index 2fad0f731..a0f2c62cf 100644
--- a/server/TossupRoom.js
+++ b/server/TossupRoom.js
@@ -139,20 +139,8 @@ class TossupRoom {
 
             canBuzz: this.settings.rebuzz || !this.buzzes.includes(userId),
             buzzedIn: this.buzzedIn,
-            tossup: this.tossup,
             questionProgress: this.questionProgress,
 
-            difficulties: this.query.difficulties,
-            minYear: this.query.minYear,
-            maxYear: this.query.maxYear,
-            packetNumbers: this.query.packetNumbers,
-            setName: this.query.setName,
-            validCategories: this.query.categories,
-            validSubcategories: this.query.subcategories,
-            validAlternateSubcategories: this.query.alternateSubcategories,
-            powermarkOnly: this.query.powermarkOnly,
-            standardOnly: this.query.standardOnly,
-
             public: this.settings.public,
             readingSpeed: this.settings.readingSpeed,
             rebuzz: this.settings.rebuzz,
@@ -161,6 +149,16 @@ class TossupRoom {
             timer: this.settings.timer,
         }));
 
+        socket.send(JSON.stringify({
+            type: 'connection-acknowledged-query',
+            ...this.query,
+        }));
+
+        socket.send(JSON.stringify({
+            type: 'connection-acknowledged-tossup',
+            tossup: this.tossup,
+        }));
+
         if (this.questionProgress !== QuestionProgressEnum.NOT_STARTED && this.tossup?.question) {
             socket.send(JSON.stringify({
                 type: 'update-question',