OpenDream icon indicating copy to clipboard operation
OpenDream copied to clipboard
verified publisher icon OpenDreamProject

Unsafe client access false positive

Open PowerfulBacon opened this issue 1 year ago • 3 comments

The following code produces a false positive in the unsafe client access check.

/proc/log_tgui(user_or_client, text)
	var/entry = ""
	if(!user_or_client)
		entry += "no user"
	else if(istype(user_or_client, /mob))
		var/mob/user = user_or_client
		entry += "[user.ckey] (as [user])"
	else if(istype(user_or_client, /client))
		var/client/client = user_or_client
		entry += "[client?.ckey]"
	entry += ":\n[text]"
	WRITE_LOG(GLOB.tgui_log, entry)

If we do istype(var, /client), then any client variables assigned from the checked variable should be considered safe.

PowerfulBacon avatar Sep 14 '24 09:09 PowerfulBacon

Since I know C# well, I might as well take a look at this

PowerfulBacon avatar Sep 14 '24 09:09 PowerfulBacon

#pragma UnsafeClientAccess disabled // NOTE: Only checks for unsafe accesses like "client.foobar" and doesn't consider if the client was already null-checked earlier in the proc

ike709 avatar Sep 14 '24 16:09 ike709

It claims that, but it does appear to be able to determine if (!client) return

PowerfulBacon avatar Sep 14 '24 22:09 PowerfulBacon