Actually fixed message spoofing exploit

solaris-games · Jan 14, 2024 · d353cc7 · d353cc7
1 parent 1146246
commit d353cc7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/client/src/views/game/Game.vue b/client/src/views/game/Game.vue
@@ -70,8 +70,7 @@ export default {
     let player = GameHelper.getUserPlayer(this.$store.state.game)
 
     let socketData = {
-      gameId: this.$store.state.game._id,
-      userId: this.$store.state.userId
+      gameId: this.$store.state.game._id
     }
 
     if (player) {

diff --git a/server/services/broadcast.ts b/server/services/broadcast.ts
@@ -72,7 +72,14 @@ export default class BroadcastService {
     }
 
     gameMessageSent(game: Game, message: ConversationMessageSentResult) {
-        message.toPlayerIds.forEach(p => this.io.to(p).emit('gameMessageSent', message));
+        // Note: We need to ensure we send to the users' socket, not the players as the player one
+        // can be spoofed.
+        const toUserIds = game.galaxy.players
+            .filter(p => message.toPlayerIds.find(m => m.toString() === p._id.toString()) != null)
+            .filter(p => p.userId != null)
+            .map(p => p.userId!);
+
+        toUserIds.forEach(p => this.io.to(p.toString()).emit('gameMessageSent', message));
     }
 
     gameConversationRead(game: Game, conversation: Conversation, readByPlayerId: DBObjectId) {