security: fix CodeQL warnings for integer overflow and workflow permissions

- handlers_tower.go: add bounds checks before int-to-int16 and int-to-uint16 conversions to prevent overflow/wraparound (CodeQL #7, #8) - go-improved.yml, go.yml: add top-level `permissions: contents: read` to restrict workflow token scope (CodeQL #15, #16, #17)
2026-03-21 23:22:34 +01:00 · 2026-02-16 19:14:14 +01:00
parent 5e0d578670
commit b1c8b2848f
3 changed files with 15 additions and 1 deletions
--- a/server/channelserver/handlers_tower.go
+++ b/server/channelserver/handlers_tower.go
@@ -3,10 +3,12 @@ package channelserver
 import (
 	_config "erupe-ce/config"
 	"fmt"
-	"go.uber.org/zap"
+	"math"
 	"strings"
 	"time"

+	"go.uber.org/zap"
+
 	"erupe-ce/common/byteframe"
 	"erupe-ce/common/stringsupport"
 	"erupe-ce/network/mhfpacket"
@@ -71,6 +73,9 @@ func handleMsgMhfGetTowerInfo(s *Session, p mhfpacket.MHFPacket) {
 	}

 	for i, skill := range stringsupport.CSVElems(tempSkills) {
+		if skill < math.MinInt16 || skill > math.MaxInt16 {
+			continue
+		}
 		towerInfo.Skill[0].Skills[i] = int16(skill)
 	}

@@ -428,6 +433,9 @@ func handleMsgMhfGetGemInfo(s *Session, p mhfpacket.MHFPacket) {
 	var tempGems string
 	s.server.db.QueryRow(`SELECT COALESCE(gems, $1) FROM tower WHERE char_id=$2`, EmptyTowerCSV(30), s.charID).Scan(&tempGems)
 	for i, v := range stringsupport.CSVElems(tempGems) {
+		if v < 0 || v > math.MaxUint16 {
+			continue
+		}
 		gemInfo = append(gemInfo, GemInfo{uint16((i / 5 << 8) + (i%5 + 1)), uint16(v)})
 	}