search

godotengine / godot-cpp

C++ bindings for the Godot script API
MIT License
1.67k stars 503 forks source link

extension_api.json is not sanitized #1536

Open OffsetMOSFET opened 1 month ago

OffsetMOSFET commented 1 month ago

Godot version

4.2.2

godot-cpp version

4.2.2

System information

Ubuntu 22.04.4 LTS 64-bit

Issue description

When using a custom api file via extension_api.json, the field arguments/name for each method is used directly. I have a custom module, and I happened to use spaces, parenthesis, and brackets to describe the inputs of my functions. i.e.

ClassDB::bind_method(D_METHOD("example_function", "input (1)"), &Foo::example_function);

This does not create issues when compiling Godot. However, when compiling godot_cpp, it creates malformed function definitions:

void example_function(int input (1));

While this a fixable issue for me, there is a (very circumstantial) way to use this for code injection if the module came from a second party.

Steps to reproduce

Compile godot with modules with malformed input descriptions. Create and move the custom.api. Compile the GDExtension Project.

Minimal reproduction project

N/A

AThousandShips commented 1 month ago

~This belongs in the main repo as it's related to generation, please open one here~ (No need)

This should be simple to fix by adding checks to the unit tests, will write a check for argument names for the unit tests and module makers can then use that for validation

Writing up a test addition

AThousandShips commented 1 month ago

Added a unit test for coverage:

See there for more, we could add a validation step to the API dump but it'd be far more involved as we'd need to add other validations, but that would just duplicate the unit tests