skejeton
commented
1 year ago the entire codebase isn't that big, so I think it would be healthy to take both of us a glance and create issue for each potential threat
Open skejeton opened 1 year ago
skejeton
commented
1 year ago the entire codebase isn't that big, so I think it would be healthy to take both of us a glance and create issue for each potential threat
marekmaskarinec
commented
1 year ago I totally agree.
skejeton
commented
5 months ago Adding 1.4 since I think 1.3 will be an intermediary release and we definitely won't worry about any networking here.
The engine needs a lot of security auditing. It currently doesn't support networking, so it's not a big threat. But it's important to crack down on all the security holes at once, before we scale the code further.
Example of a security threat: https://github.com/marekmaskarinec/tophat/blob/520907a859a875c6bb07ff34547c2124bcb6e25c/src/bindings.c#L26
I would take a look at the entire repository right now, and look for all possible holes, perhaps using tooling like static analyzers and dynamic analyzers.
This is really important - if netcode extension gets developed, or networking gets added into tophat, it would potentially allow doing arbitrary code in case of stack smashing like in example above.
Netcode may be far ahead, but I think it's important to take measures.