feat: add payload length limit, proto field count limit, value range validation

vlydev · vlydev · commit e5d14258d263 · 2026-03-16T16:47:03.000+02:00
diff --git a/cs2_inspect/inspect_link.py b/cs2_inspect/inspect_link.py
@@ -106,6 +106,14 @@ def serialize(data: ItemPreviewData) -> str:
     Returns:
         Uppercase hex string, e.g. "00183C20B803..."
     """
+    if data.paintwear < 0.0 or data.paintwear > 1.0:
+        raise ValueError(
+            f"paintwear must be in [0.0, 1.0], got {data.paintwear}"
+        )
+    if data.customname is not None and len(data.customname) > 100:
+        raise ValueError(
+            f"customname must not exceed 100 characters, got {len(data.customname)}"
+        )
     proto_bytes = encode_item(data)
     buffer = b"\x00" + proto_bytes
     checksum = _crc32_checksum(buffer, len(proto_bytes))
@@ -125,6 +133,10 @@ def deserialize(hex_or_url: str) -> ItemPreviewData:
     (where the first byte is the XOR key applied to all subsequent bytes).
     """
     hex_str = _extract_hex(hex_or_url)
+    if len(hex_str) > 4096:
+        raise ValueError(
+            f"Payload too long (max 4096 hex chars): {hex_or_url[:64]!r}..."
+        )
     raw = binascii.unhexlify(hex_str)
 
     if len(raw) < 6:
diff --git a/cs2_inspect/proto.py b/cs2_inspect/proto.py
@@ -83,7 +83,11 @@ def read_length_delimited(self) -> bytes:
     def read_all_fields(self) -> list[tuple[int, int, Any]]:
         """Read all (field_number, wire_type, value) tuples until EOF."""
         fields: list[tuple[int, int, Any]] = []
+        field_count = 0
         while self.remaining() > 0:
+            field_count += 1
+            if field_count > 100:
+                raise ValueError("Protobuf field count exceeds limit of 100")
             field_num, wire_type = self.read_tag()
             if wire_type == WIRE_VARINT:
                 value = self.read_varint()
diff --git a/tests/test_inspect_link.py b/tests/test_inspect_link.py
@@ -289,3 +289,51 @@ def test_known_hex_checksum_matches(self):
             rarity=5,
         )
         assert serialize(data) == TOOL_HEX
+
+
+# ---------------------------------------------------------------------------
+# Defensive validation tests
+# ---------------------------------------------------------------------------
+
+class TestDefensiveChecks:
+    def test_deserialize_payload_too_long_raises(self):
+        """Payloads longer than 4096 hex chars must raise ValueError."""
+        long_hex = "00" * 2049  # 4098 hex chars > 4096 limit
+        with pytest.raises(ValueError, match="Payload too long"):
+            deserialize(long_hex)
+
+    def test_serialize_paintwear_above_one_raises(self):
+        """paintwear > 1.0 must raise ValueError."""
+        data = ItemPreviewData(defindex=7, paintwear=1.1)
+        with pytest.raises(ValueError, match="paintwear"):
+            serialize(data)
+
+    def test_serialize_paintwear_below_zero_raises(self):
+        """paintwear < 0.0 must raise ValueError."""
+        data = ItemPreviewData(defindex=7, paintwear=-0.1)
+        with pytest.raises(ValueError, match="paintwear"):
+            serialize(data)
+
+    def test_serialize_paintwear_zero_is_valid(self):
+        """paintwear == 0.0 is a valid boundary value."""
+        data = ItemPreviewData(defindex=7, paintwear=0.0)
+        result = serialize(data)
+        assert result.startswith("00")
+
+    def test_serialize_paintwear_one_is_valid(self):
+        """paintwear == 1.0 is a valid boundary value."""
+        data = ItemPreviewData(defindex=7, paintwear=1.0)
+        result = serialize(data)
+        assert result.startswith("00")
+
+    def test_serialize_customname_101_chars_raises(self):
+        """customname exceeding 100 characters must raise ValueError."""
+        data = ItemPreviewData(defindex=7, customname="x" * 101)
+        with pytest.raises(ValueError, match="customname"):
+            serialize(data)
+
+    def test_serialize_customname_100_chars_is_valid(self):
+        """customname of exactly 100 characters must be accepted."""
+        data = ItemPreviewData(defindex=7, customname="x" * 100)
+        result = serialize(data)
+        assert result.startswith("00")
