fix: prevent item dupe exploit on item swap #573
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes a duplication exploit and stops the front-end from sending a custom item transfer amount when two items that aren't the same are being swapped. This amount is unneeded for this action since the two items can't be stacked by any amount and need to completely swap if they're two different items.
This PR also updates the server-side of this request by not using the amounts provided by the front-end for swapping, and instead using the back-end
.amount
values known to the inventory. This is because for completely swapping two items, the full amounts for both items should be swapped, and no values from the client should be trusted unless performing an item name check on that slot after removal.This could also be fixed across the board with other changes and validation to some exports.
This PR addresses the duplication exploit issues: #569, #563
Checklist