Audit finding H-1. Defense-in-depth fix for EmoteCache.LoadAsync,
which interpolated the BetterTTV-supplied Id and ImageType straight
into a Path.Join. HTTPS protects the wire today, but a compromised
upstream that hands back Id values like "../foo" would land outside
EmoteCacheV1, anywhere under pluginConfigs that the plugin can write.
Resolve the candidate path with Path.GetFullPath, then assert it
starts with the cache directory plus a directory separator (so
"EmoteCacheV1Sibling" cannot match "EmoteCacheV1"). Throw
InvalidOperationException on mismatch — the surrounding load
already swallows exceptions and logs them, so a tampered entry
becomes a visible error in the log instead of a silent miss.
Two long-standing upstream bugs surfaced in our distribution as
red error rows on every plugin load. Neither is caused by the
fork's own code, but both happen under our plugin name in the
log so they had to go before the plugin gets handed to anyone.
EmoteCache.LoadData fed BetterTTV's API responses straight into
Dictionary.TryAdd. The Top100 endpoint occasionally returns rows
with a null Code field, which tripped ArgumentNullException and
killed the entire emote load. Filter null/empty codes out
explicitly before insertion so a single bad row no longer breaks
the cache for everyone else.
FontManager.BuildFonts called fontId.AddToBuildToolkit without
guarding for the case where the configured SystemFontId points at
a font that isn't installed (e.g. "Crimson Text" on a Linux box,
or a font the user uninstalled after picking it). The atlas build
then crashed and dumped a Dalamud DelegateFontHandle error every
single load. Wrap the call in AddFontWithFallback: if the font
isn't found, log a warning, fall back to the bundled
NotoSansCjkRegular asset and continue. Applied to both the regular
and italic font handles.
Infi
JonKazama-Hellion