Client Payload Validation and Automation Safety Enforcement Module

[aniket866]

Addressed Issues: 30

In simple words this PR prevents any unkonwn input like infinite(9999999999999999999999999....) and other inputs by user ,
if not prevented it will crash the whole application because can't able to parse infinite, -infinite etc and all other input protection has bee packed into a allowed limit.

PR Summary

This PR strengthens the security and stability of InputHandler.ts by introducing strict input validation and boundary enforcement.
It prevents extreme client-sent values from crashing or freezing the host system.
All high-risk fields (dx, dy, delta, text, keys) are now properly clamped or validated.
These additions ensure predictable behavior while maintaining full backward compatibility.

What This Fix Prevents

Attack Type	Protection Added
Huge dx/dy	Clamped to ±2000
Huge scroll	Clamped to ±500
Huge zoom delta	Clamped to ±1000 input
10M character text	Max 500 chars
Massive combo array	Max 5 keys
Duplicate combo keys	Deduplicated
Unknown key injection	Allowlist enforced

Screenshots/Recordings:

Additional Notes:

Checklist

• My PR addresses a single issue, fixes a single bug or makes a single improvement.
• My code follows the project's code style and conventions
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contribution Guidelines
• Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

• Bug Fixes
  • Strengthened input validation: limits on text length, movement deltas, scroll magnitude, and zoom inputs with clamped values.
  • Enforced keyboard rules: allowlist, max combo length, deduplication, and rejection of unknown/oversized key combos.
  • Added safeguards and warnings to block malformed or excessively large inputs before actions are taken.

[coderabbitai]

📝 Walkthrough

Walkthrough

InputHandler gained server-side input validation: new private constants limit text, deltas, scroll, zoom, and combo length; a clamp utility; and early-return checks that sanitize or reject out-of-range move, click, scroll, zoom, key, combo, and text inputs before action calls.

Changes

Cohort / File(s)	Summary
Input Security & Validation src/server/InputHandler.ts	Added private static limits: MAX_TEXT_LENGTH, MAX_DELTA, MAX_SCROLL, MAX_ZOOM_INPUT, MAX_COMBO_KEYS and a clamp() helper. Movement, click, scroll, zoom, key, combo, and text handlers now validate, clamp, deduplicate, and whitelist inputs; invalid inputs produce warnings and early returns.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I bound the hops, I trim the scroll,
I tame the keys that try to roll.
With clamps and lists I guard the stream,
Quiet inputs, steady dream—
Safe and neat, the system gleams. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Client Payload Validation and Automation Safety Enforcement Module' directly describes the main change: adding input validation and safety constraints to the InputHandler to prevent crashes from invalid client payloads.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/server/InputHandler.ts (2)

63-96: ⚠️ Potential issue | 🟡 Minor

Wrap case 'scroll' body in a block to scope its declarations.

Biome correctly flags const safeScrollY and const safeScrollX (lines 67, 71) as accessible from sibling switch clauses. While the break prevents actual fallthrough, wrapping the case body in braces is the standard fix and prevents future accidents if cases are reordered.

This same pattern applies to other cases with const declarations (zoom, key, combo, text), but scroll is the one flagged.

Proposed fix

             case 'scroll':
+            {
                 const promises: Promise<void>[] = [];
 
                 //Clamp scroll values
                 ...
                 if (promises.length) {
                     await Promise.all(promises);
                 }
                 break;
+            }

---

147-178: ⚠️ Potential issue | 🟠 Major

Deduplication happens before lowercasing, so case-variant duplicates (e.g. "Shift" and "shift") both survive and press the same physical key twice.

Lowercase first, then deduplicate to avoid double key-presses. Additionally:

1. Same single-char case loss as the key handler — line 174 types lowerKey instead of original k.
2. Dead code on lines 175-177 — the else branch is unreachable because the guard on line 164 already filters out keys that aren't in KEY_MAP and aren't single-char.

🐛 Proposed fix: lowercase-then-dedup, preserve original char, remove dead code

-                    // Remove duplicate keys
-                    const uniqueKeys = [...new Set(msg.keys)];
+                    // Normalize to lowercase, then remove duplicates
+                    const uniqueKeys = [...new Set(msg.keys.map(k => k.toLowerCase()))];

                     const nutKeys: (Key | string)[] = [];

-                    for (const k of uniqueKeys) {
-                        const lowerKey = k.toLowerCase();
-
-                        if (!(lowerKey in KEY_MAP) && lowerKey.length !== 1) {
-                            console.warn(`Blocked unknown key in combo: ${k}`);
+                    for (const lowerKey of uniqueKeys) {
+                        if (!(lowerKey in KEY_MAP) && lowerKey.length !== 1) {
+                            console.warn(`Blocked unknown key in combo: ${lowerKey}`);
                             continue;
                         }

                         const nutKey = KEY_MAP[lowerKey];

                         if (nutKey !== undefined) {
                             nutKeys.push(nutKey);
                         } else if (lowerKey.length === 1) {
                             nutKeys.push(lowerKey);
-                        } else {
-                            console.warn(`Unknown key in combo: ${k}`);
                         }
                     }

Note: lowering single-char combo keys is acceptable here since combos like Ctrl+A conventionally use lowercase a. If original case matters for the single-char path, you'd need to carry both the lowered and original values.

🤖 Fix all issues with AI agents

In `@src/server/InputHandler.ts`:
- Around line 129-143: The single-character fallback currently lowercases the
key and loses original case; change the logic in InputHandler.ts so KEY_MAP
lookup still uses lowerKey but when falling back to typing a raw single
character use the original msg.key (preserving case) instead of lowerKey — i.e.,
compute lowerKey for the KEY_MAP lookup and nutKey resolution, call
keyboard.type(nutKey) if defined, otherwise call keyboard.type(msg.key) when
msg.key.length === 1.
- Around line 29-31: The clamp method currently allows NaN through; update
InputHandler.clamp to be static and to guard non-finite values by returning 0
when value is NaN or not finite (Number.isFinite(value) check), otherwise
perform the existing Math.max/Math.min clamp; then change call-sites that use
this.clamp(…) to InputHandler.clamp(…) (affects calls before mouse.setPosition,
mouse.scrollDown, mouse.* zoom/move callers) so NaN no longer propagates into
mouse methods.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/server/InputHandler.ts (1)

174-175: ⚠️ Potential issue | 🟠 Major

Same lowercase-typing bug as the key handler — single-char combo keys lose case.

Line 175 uses lowerKey instead of the original k, so an uppercase letter in a combo is silently downcased.

Proposed fix

                         } else if (lowerKey.length === 1) {
-                            nutKeys.push(lowerKey);
+                            nutKeys.push(k);
                         } else {

🤖 Fix all issues with AI agents

In `@src/server/InputHandler.ts`:
- Around line 157-158: The current dedup logic uses const uniqueKeys = [...new
Set(msg.keys)] which is case-sensitive and lets logical duplicates like "Shift"
and "shift" pass through; update the InputHandler handling to normalize keys
(e.g., toLowerCase or a canonical mapping) before deduplication so duplicates
compare in a case-insensitive form, then map back to the original/canonical Key
enum values (e.g., Key.LeftShift) used elsewhere; specifically, transform
msg.keys to a normalized array, run new Set(...) on that normalized form, and
then convert those normalized entries to the canonical Key tokens used by the
rest of the code (refer to uniqueKeys, msg.keys, and the Key enum /
Key.LeftShift resolution).

🧹 Nitpick comments (1)

src/server/InputHandler.ts (1)

64-97: Wrap scroll case body in a block to fix const leaking across switch clauses.

Biome correctly flags const declarations inside an unbraced case — they are technically accessible from other case branches, which can cause confusing bugs if the switch is later extended.

Proposed fix

-            case 'scroll':
-                const promises: Promise<void>[] = [];
+            case 'scroll': {
+                const promises: Promise<void>[] = [];
 
                 //Clamp scroll values
                 ...

                 if (promises.length) {
                     await Promise.all(promises);
                 }
-                break;
+                break;
+            }

[aniket866]

@imxade Please check this out , a small fix but important
can be merged

Thankyou!