JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues Pull Requests Actions Releases 28 Activity
Files
9ad9d2acd29fecbbdac491bd20ad3229e188adf3
HellionChat/repo.json
T
JonKazama-Hellion 1b7f2c40e6 fix(security): rebuild WrapText on span and int offsets 
The pointer-arithmetic CodeQL alert kept re-firing on each shape of
the previous shallow fix because Encoding.GetBytes is virtual and
every length value derived from its return inherited the taint.
Refactor the routine to thread int offsets through index-based
control flow and only compute pointers inside two small helpers
(CalcWordWrap and DrawText) that take an already-pinned base pointer
plus offsets sourced from local logic, not from any virtual return.

Buffer is now allocated against Encoding.UTF8.GetMaxByteCount via
ArrayPool with a real 16 KiB upper bound, and the encoded length
returned by GetBytes is validated against that ceiling before
anything touches the pointer. Behaviour is byte-identical to v0.5.3,
verified locally with the same input shapes the previous code path
handled.

Slim changelog: trimmed the per-version blocks down to v0.5.1-v0.5.4
plus a link to GitHub releases for older history. The previous block
ran ~9000 characters and was dragging the manifest payload down for
no benefit; users see the latest release block first anyway.
2026-05-02 23:57:26 +02:00

41 lines
5.2 KiB
JSON
Raw Blame History

[
{
"Author": "JonKazama-Hellion",
"Name": "Hellion Chat",
"InternalName": "HellionChat",
"AssemblyVersion": "0.5.4.0",
"Description": "Hellion Chat is built on top of Chat 2 with one removal and a stack\nof privacy controls on top. Tabs, channel filters, RGB colours,\nemotes, screenshot mode, IPC integration and the chat replacement\nwindow itself work the same. The optional webinterface that Chat 2\nships is intentionally not part of this fork because it serves a\ndifferent use case from the smaller default footprint Hellion Chat\nis built around.\n\nOn top of that, Hellion Chat adds privacy and data-handling controls\ndesigned to align with the modern data protection rules that apply\nacross the EU, the United States and Japan. By default only your own\nconversations are stored; messages from strangers, NPCs and system\nspam stay out of the database. Retention windows are configurable per\nchannel, history can be wiped retroactively, and stored data can be\nexported on demand.\n\nKey additions on top of Chat 2:\n\n- Channel whitelist with a Privacy-First default\n- Per-channel retention with a daily background sweep\n- Retroactive cleanup with a Ctrl+Shift confirm\n- Export to Markdown, JSON or CSV\n- First-run wizard with three preset profiles (Privacy-First, Casual,\n Full History)\n- Bilingual UI (English and German) with live language switching\n- Independent plugin state — own config file and database directory,\n so Hellion Chat does not share state with the upstream plugin\n\nBased on Chat 2 by Infi and Anna, licensed under EUPL-1.2.",
"ApplicableVersion": "any",
"RepoUrl": "https://github.com/JonKazama-Hellion/HellionChat",
"Tags": [
"Social",
"UI",
"Chat",
"Replacement",
"Privacy"
],
"DalamudApiLevel": 15,
"LoadRequiredState": 0,
"LoadSync": false,
"CanUnloadAsync": false,
"LoadPriority": 0,
"Punchline": "Chat 2 with privacy controls aligned to EU, US and JP rules",
"Changelog": "**Hellion Chat 0.5.4 — WrapText hardening**\n\nReplaces the unsafe pointer-arithmetic in ImGuiUtil.WrapText with\nSpan- and index-based control flow. Closes the persistent CodeQL\nCritical alert \"unvalidated local pointer arithmetic\" that kept\nre-firing on every shape of the previous fix.\n\nHardening:\n\n- WrapText now allocates a buffer sized by Encoding.UTF8.GetMaxByteCount\n via ArrayPool, validates the actual encoded length against that\n ceiling, and threads the rest of the algorithm through int offsets\n instead of raw byte pointers\n- Pointer arithmetic only happens inside two small private helpers\n (CalcWordWrap and DrawText) that take the pinned base pointer plus\n int offsets sourced from the plugin's own logic, not from any\n virtual-method return\n- Added a 16 KiB upper bound on the buffer rent to prevent a\n pathological input from triggering an unbounded ArrayPool allocation\n\nNo user-visible behaviour change. Word-wrap output is byte-identical\nto v0.5.3.\n\nBased on Chat 2 1.35.3 (upstream Infiziert90/ChatTwo, EUPL-1.2).\n\n**Hellion Chat 0.5.3 — Pointer arithmetic hardening**\n\nClosed CodeQL Critical alert in ImGuiUtil.WrapText by validating the\nencoded byte buffer length via GetByteCount before pointer\narithmetic. Single-fix patch on top of v0.5.2.\n\n**Hellion Chat 0.5.2 — Bugfix patch**\n\nAuto-Tell-Tabs history-separator landed below the live tell instead\nof above (preload now excludes the trigger message). Plugin icon\npackaging fixed by removing a stale DalamudPackager.targets override\nthat conflicted with the SDK 15 default. Default config aligned to\nthe maintainer's daily driver: HellionThemeWindowOpacity 0.5,\nUse24HourClock true, Gruppe tab no longer auto-routes /party. Two\nearlier CodeQL findings closed (workflow permissions, empty-input\npointer arithmetic).\n\n**Hellion Chat 0.5.1 — Backlog Sweep**\n\nPure hardening and polish. Eight backlog items from the v0.5.0\ncodebase review collected into one patch: cleanup-preview-stale\ndetection, greeted-tab dim background, Performance HelpMarker\nconsistency, Tabs/Database tab names from HellionStrings,\nFontChooser framework-thread marshalling, async-void on\nEmoteCache.LoadData, parameterised SQL via BindIntList helper.\n\n---\n\nEarlier history at https://github.com/JonKazama-Hellion/HellionChat/releases.",
"AcceptsFeedback": true,
"DownloadLinkInstall": "https://github.com/JonKazama-Hellion/HellionChat/releases/download/v0.5.4/latest.zip",
"DownloadLinkUpdate": "https://github.com/JonKazama-Hellion/HellionChat/releases/download/v0.5.4/latest.zip",
"DownloadLinkTesting": "https://github.com/JonKazama-Hellion/HellionChat/releases/download/v0.5.4/latest.zip",
"TestingAssemblyVersion": "0.5.4.0",
"IconUrl": "https://raw.githubusercontent.com/JonKazama-Hellion/HellionChat/main/ChatTwo/images/icon.png",
"ImageUrls": [
"https://raw.githubusercontent.com/JonKazama-Hellion/HellionChat/main/ChatTwo/images/chatWindow.png",
"https://raw.githubusercontent.com/JonKazama-Hellion/HellionChat/main/ChatTwo/images/withSimpleTweaks.png"
],
"DownloadCount": 0,
"IsHide": false,
"IsTestingExclusive": false,
"CategoryTags": [
"social"
]
}
]
Reference in New Issue View Git Blame Copy Permalink