From 7b7cdfe19c86fe60d354d5e4dc636d464fbcb1f8 Mon Sep 17 00:00:00 2001
From: Scott Anderson <662325+scottanderson@users.noreply.github.com>
Date: Tue, 8 Jul 2025 15:40:36 -0400
Subject: [PATCH] Validate incoming parameters (#1371)

## Description:

Validate incoming parameters.

https://github.com/openfrontio/OpenFrontIO/security/code-scanning/17

## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I process any text displayed to the user through translateText()
and I've added it to the en.json file
- [x] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced
- [x] I understand that submitting code with bugs that could have been
caught through manual testing blocks releases and new features for all
contributors
---
 src/server/Master.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/server/Master.ts b/src/server/Master.ts
index 388aba19c..3a131b12e 100644
--- a/src/server/Master.ts
+++ b/src/server/Master.ts
@@ -5,7 +5,7 @@ import http from "http";
 import path from "path";
 import { fileURLToPath } from "url";
 import { getServerConfigFromServer } from "../core/configuration/ConfigLoader";
-import { GameInfo } from "../core/Schemas";
+import { GameInfo, ID } from "../core/Schemas";
 import { generateID } from "../core/Util";
 import { gatekeeper, LimiterType } from "./Gatekeeper";
 import { logger } from "./Logger";
@@ -170,6 +170,11 @@ app.post(
 
     const { gameID, clientID } = req.params;
 
+    if (!ID.safeParse(gameID).success || !ID.safeParse(clientID).success) {
+      res.sendStatus(400);
+      return;
+    }
+
     try {
       const response = await fetch(
         `http://localhost:${config.workerPort(gameID)}/api/kick_player/${gameID}/${clientID}`,