Forex/camp review hardening: bound CoinGecko body, escape URL params, fail-open camp on DB error

- forex_crypto.go: cap the CoinGecko response with io.LimitReader(64KiB);
  build the simple/price query via url.Values instead of bare Sprintf.
- dnd_expedition_camp.go: a combat-session lookup error now fails open
  (allow camp) + logs a warning, instead of blocking standard camp with a
  misleading empty 'not cleared' rejection.
This commit is contained in:
prosolis
2026-05-22 07:25:08 -07:00
parent 56f896b941
commit 95e0995c7f
2 changed files with 16 additions and 4 deletions

View File

@@ -2,6 +2,7 @@ package plugin
import (
"fmt"
"log/slog"
"math/rand/v2"
"strings"
"time"
@@ -369,7 +370,13 @@ func campLocationCheck(exp *Expedition) (cleared bool, problem string) {
encID := encounterIDForRoom(run.CurrentRoom)
sess, err := getCombatSessionForEncounter(run.RunID, encID)
if err != nil {
return false, ""
// Can't read the encounter's combat state. Fail open like the
// run-lookup path above rather than blocking standard camp with an
// empty (misleading "not cleared") rejection — a DB hiccup shouldn't
// strand a player who only wants to rest.
slog.Warn("camp: combat session lookup failed; allowing camp",
"run", run.RunID, "encounter", encID, "err", err)
return true, ""
}
if sess != nil && sess.Status == CombatStatusActive {
return false, "You can't camp mid-fight — finish the encounter first."