You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a deterministic script regression test for recent botlib bounded string fixes across Unix and Win32 platform copies.
Register the test with CTest and document it in tests/README.md.
Risky behavior now covered
BotLoadChatMessage must keep length preflight checks and bounded Q_strncpyz/Com_sprintf writes for fixed strings, numeric variables, and random string references.
SourceError/SourceWarning must keep bounded Q_vsnprintf formatting.
These botlib parser/chat paths consume script/chat data and exist in duplicated platform trees, so reverting to unbounded formatting or drifting one platform copy would create memory-safety risk with broad engine impact. The new source-level regression test is fast, deterministic, and checks both copies for the specific bounded APIs and size guards introduced by the recent audit work.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review complete: no medium-or-higher confidence vulnerabilities found in the added/modified code.
Scope reviewed: new CTest wiring, tests/README.md, and tests/scripts/test_botlib_bounded_strings.sh. The new script reads fixed repository source files and checks bounded string invariants; I did not find an attacker-controlled path to injection, authz bypass, secret exposure, unsafe deserialization, path traversal, or other security sink. No prior automation review threads were present to re-report.
The reason will be displayed to describe this comment to others. Learn more.
Security review complete: no medium-or-higher confidence vulnerabilities found in the added or modified code.
Scope reviewed: new CTest wiring in CMakeLists.txt, tests/README.md, and tests/scripts/test_botlib_bounded_strings.sh. The executable change is a local regression checker that reads fixed repository source files and uses quoted paths into inline Python; I did not find an attacker-controlled path to injection, authz bypass, secret exposure, SSRF, path traversal, unsafe deserialization, or another security sink.
Validation: tests/scripts/test_botlib_bounded_strings.sh passed locally. No prior review threads were present to re-report.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Summary
tests/README.md.Risky behavior now covered
BotLoadChatMessagemust keep length preflight checks and boundedQ_strncpyz/Com_sprintfwrites for fixed strings, numeric variables, and random string references.SourceError/SourceWarningmust keep boundedQ_vsnprintfformatting.#eval/$evalparser token formatting must keep boundedCom_sprintf(token.string, MAX_TOKEN, ...)calls.Test files added/updated
tests/scripts/test_botlib_bounded_strings.shCMakeLists.txttests/README.mdWhy this reduces regression risk
These botlib parser/chat paths consume script/chat data and exist in duplicated platform trees, so reverting to unbounded formatting or drifting one platform copy would create memory-safety risk with broad engine impact. The new source-level regression test is fast, deterministic, and checks both copies for the specific bounded APIs and size guards introduced by the recent audit work.
Validation
tests/scripts/test_botlib_bounded_strings.shcmake -S . -B build-coverage-tests -DBUILD_UNIT_TESTS=OFF -DBUILD_EXAMPLE_DEMO_GAME=OFFctest --test-dir build-coverage-tests -R test_botlib_bounded_strings --output-on-failure