From b1c8b2848fe2ee1226aedcb362b8fc1e36500dad Mon Sep 17 00:00:00 2001
From: Houmgaor <contact@houmgaor.com>
Date: Mon, 16 Feb 2026 19:14:14 +0100
Subject: [PATCH] security: fix CodeQL warnings for integer overflow and
 workflow permissions

- handlers_tower.go: add bounds checks before int-to-int16 and int-to-uint16
  conversions to prevent overflow/wraparound (CodeQL #7, #8)
- go-improved.yml, go.yml: add top-level `permissions: contents: read` to
  restrict workflow token scope (CodeQL #15, #16, #17)
---
 .github/workflows/go-improved.yml      |  3 +++
 .github/workflows/go.yml               |  3 +++
 server/channelserver/handlers_tower.go | 10 +++++++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/go-improved.yml b/.github/workflows/go-improved.yml
index 42baa0205..b2da9b8c0 100644
--- a/.github/workflows/go-improved.yml
+++ b/.github/workflows/go-improved.yml
@@ -20,6 +20,9 @@ on:
       - main
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 7812a8c7b..42aeb6338 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -12,6 +12,9 @@ on:
       - 'main.go'
       - '.github/workflows/go.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/server/channelserver/handlers_tower.go b/server/channelserver/handlers_tower.go
index 8f32a7882..0e2e87ab4 100644
--- a/server/channelserver/handlers_tower.go
+++ b/server/channelserver/handlers_tower.go
@@ -3,10 +3,12 @@ package channelserver
 import (
 	_config "erupe-ce/config"
 	"fmt"
-	"go.uber.org/zap"
+	"math"
 	"strings"
 	"time"
 
+	"go.uber.org/zap"
+
 	"erupe-ce/common/byteframe"
 	"erupe-ce/common/stringsupport"
 	"erupe-ce/network/mhfpacket"
@@ -71,6 +73,9 @@ func handleMsgMhfGetTowerInfo(s *Session, p mhfpacket.MHFPacket) {
 	}
 
 	for i, skill := range stringsupport.CSVElems(tempSkills) {
+		if skill < math.MinInt16 || skill > math.MaxInt16 {
+			continue
+		}
 		towerInfo.Skill[0].Skills[i] = int16(skill)
 	}
 
@@ -428,6 +433,9 @@ func handleMsgMhfGetGemInfo(s *Session, p mhfpacket.MHFPacket) {
 	var tempGems string
 	s.server.db.QueryRow(`SELECT COALESCE(gems, $1) FROM tower WHERE char_id=$2`, EmptyTowerCSV(30), s.charID).Scan(&tempGems)
 	for i, v := range stringsupport.CSVElems(tempGems) {
+		if v < 0 || v > math.MaxUint16 {
+			continue
+		}
 		gemInfo = append(gemInfo, GemInfo{uint16((i / 5 << 8) + (i%5 + 1)), uint16(v)})
 	}