godot-cpp icon indicating copy to clipboard operation
godot-cpp copied to clipboard
verified publisher icon godotengine

extension_api.json is not sanitized

Open OffsetMOSFET opened this issue 1 year ago • 2 comments

Godot version

4.2.2

godot-cpp version

4.2.2

System information

Ubuntu 22.04.4 LTS 64-bit

Issue description

When using a custom api file via extension_api.json, the field arguments/name for each method is used directly. I have a custom module, and I happened to use spaces, parenthesis, and brackets to describe the inputs of my functions. i.e.

ClassDB::bind_method(D_METHOD("example_function", "input (1)"), &Foo::example_function);

This does not create issues when compiling Godot. However, when compiling godot_cpp, it creates malformed function definitions:

void example_function(int input (1));

While this a fixable issue for me, there is a (very circumstantial) way to use this for code injection if the module came from a second party.

Steps to reproduce

Compile godot with modules with malformed input descriptions. Create and move the custom.api. Compile the GDExtension Project.

Minimal reproduction project

N/A

OffsetMOSFET avatar Jul 26 '24 07:07 OffsetMOSFET

~This belongs in the main repo as it's related to generation, please open one here~ (No need)

This should be simple to fix by adding checks to the unit tests, will write a check for argument names for the unit tests and module makers can then use that for validation

Writing up a test addition

AThousandShips avatar Jul 26 '24 12:07 AThousandShips

Added a unit test for coverage:

  • https://github.com/godotengine/godot/pull/94798

See there for more, we could add a validation step to the API dump but it'd be far more involved as we'd need to add other validations, but that would just duplicate the unit tests

AThousandShips avatar Jul 26 '24 13:07 AThousandShips