Z. Cliffe Schreuders 65ede66810 CRITICAL SECURITY FIX: Prevent client bypass with method='unlocked' ...

Fixed critical vulnerability where ANY locked door/container could be bypassed
by sending method='unlocked' to the server.

The Vulnerability:
- Server used OR logic: if method == 'unlocked' || !room['locked']
- This meant: "If client says unlocked OR room is unlocked, grant access"
- Attacker could bypass ANY lock by sending method='unlocked'
- Example exploit: {targetType: "door", targetId: "ceo", method: "unlocked"}

The Fix:
- Changed to AND logic: if method == 'unlocked' && !room['locked']
- Now means: "Only if client says unlocked AND room is ACTUALLY unlocked"
- Added explicit rejection: return false if method='unlocked' on locked item
- Server now logs SECURITY VIOLATION when bypass is attempted

Changes:
- game.rb:151: Changed || to && for doors
- game.rb:157-160: Added explicit rejection for locked doors
- game.rb:185: Changed || to && for objects
- game.rb:191-194: Added explicit rejection for locked objects

Tests Added (4 new security tests):
1. Verify locked door CANNOT be bypassed with method='unlocked' (422 error)
2. Verify locked container CANNOT be bypassed with method='unlocked' (422 error)
3. Verify unlocked door CAN use method='unlocked' (200 success)
4. Verify unlocked container CAN use method='unlocked' (200 success)

Test Results: 28 tests, 95 assertions, 0 failures

Security Principle: Client state is NEVER trusted for authorization.
Server validates against its own scenario_data, not client claims.

2025-11-22 00:46:56 +00:00

..

break_escape

CRITICAL SECURITY FIX: Prevent client bypass with method='unlocked'

2025-11-22 00:46:56 +00:00

concerns

feat: Generate Rails Engine structure

2025-11-21 15:27:53 +00:00