[FIX] fix security vulnerabilies

bnbong · bnbong · commit 50f6da4dde09 · 2026-04-09T21:45:19.000+09:00
diff --git a/backend/app/api/admin.py b/backend/app/api/admin.py
@@ -17,6 +17,7 @@
 
 from __future__ import annotations
 
+import secrets
 from typing import Optional
 
 from fastapi import APIRouter, Depends, HTTPException, Query, status
@@ -44,7 +45,7 @@ def _require_admin(
             status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
             detail="Admin endpoints are disabled (ADMIN_TOKEN not set)",
         )
-    if credentials is None or credentials.credentials != token:
+    if credentials is None or not secrets.compare_digest(credentials.credentials, token):
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Invalid or missing admin token",
diff --git a/backend/app/api/me.py b/backend/app/api/me.py
@@ -91,13 +91,9 @@ def merge_progress(
     current_ids = {row.soldier_id for row in current_rows}
     merged_ids = current_ids | set(req.collected_soldier_ids)
 
-    for soldier_id in sorted(merged_ids - current_ids):
-        collection_repo.add_soldier(
-            db,
-            user.id,
-            soldier_id,
-            source="client_merge",
-        )
+    new_ids = sorted(merged_ids - current_ids)
+    if new_ids:
+        collection_repo.add_soldiers_batch(db, user.id, new_ids, source="client_merge")
 
     merged_currency = max(user.profile.currency, req.currency)
     if user.profile.currency != merged_currency:
diff --git a/backend/app/repositories/collection_repo.py b/backend/app/repositories/collection_repo.py
@@ -66,3 +66,24 @@ def add_soldier(
     db.commit()
     db.refresh(entry)
     return entry
+
+
+def add_soldiers_batch(
+    db: Session,
+    user_id: str,
+    soldier_ids: list[int],
+    source: str = "client_merge",
+) -> int:
+    """Add multiple soldiers in a single transaction. Returns count added."""
+    now = _utcnow()
+    for sid in soldier_ids:
+        db.add(
+            UserCollection(
+                user_id=user_id,
+                soldier_id=sid,
+                source=source,
+                unlocked_at=now,
+            )
+        )
+    db.commit()
+    return len(soldier_ids)
diff --git a/src/fall_in/core/rules.py b/src/fall_in/core/rules.py
@@ -322,10 +322,11 @@ def _check_game_end(self) -> None:
 
             if human_eliminated:
                 # Single-player: human lost — lowest-score AI wins.
+                human = self.players[self._human_seat]  # type-safe: human_eliminated guarantees _human_seat is not None
                 ai_players = [
                     p
                     for p in self.players
-                    if p is not self.players[self._human_seat] and not p.is_eliminated  # type: ignore[index]
+                    if p is not human and not p.is_eliminated
                 ]
                 if ai_players:
                     self.winner = min(ai_players, key=lambda p: p.penalty_score)
diff --git a/src/fall_in/net/ws_client.py b/src/fall_in/net/ws_client.py
@@ -214,6 +214,8 @@ async def _recv_loop(self, ws) -> None:
                     msg = json.loads(raw)
                     msg_type = msg.get("type", "")
                     data = msg.get("data") or {}
+                    if not isinstance(data, dict):
+                        data = {}
                     self._recv_queue.put((msg_type, data))
                 except Exception as e:
                     logger.warning("ws_client_parse_error", extra={"error": str(e)})
diff --git a/src/fall_in/ui/settings_popup.py b/src/fall_in/ui/settings_popup.py
@@ -5,6 +5,7 @@
 """
 
 import webbrowser
+from collections.abc import Callable
 
 import pygame
 
@@ -70,10 +71,10 @@ def __init__(self) -> None:
         )
 
         # Exit callback and eliminated state (set by owning scene)
-        self._exit_callback: object = None  # Callable[[], None] | None
+        self._exit_callback: Callable[[], None] | None = None
         self._is_eliminated = False
 
-    def set_exit_callback(self, callback) -> None:
+    def set_exit_callback(self, callback: Callable[[], None]) -> None:
         """Set the callback invoked when the user confirms exit."""
         self._exit_callback = callback
 
diff --git a/src/fall_in/utils/debug_overlay.py b/src/fall_in/utils/debug_overlay.py
@@ -109,7 +109,7 @@ def handle_debug_event(self, event: pygame.event.Event) -> bool:
             self._debug_overlay_active = False
             return True
 
-        # F12 toggles overlay (only when DEBUG_MODE is on and not in multiplayer)
+        # F12 toggles overlay (only when DEBUG_MODE is on and not authenticated)
         if event.key == pygame.K_F12:
             from fall_in.config import DEBUG_MODE
             from fall_in.core.game_manager import GameManager

Original file line number	Diff line number	Diff line change
`@@ -322,10 +322,11 @@ def _check_game_end(self) -> None:`
`322`	`322`
`323`	`323`	`if human_eliminated:`
`324`	`324`	`# Single-player: human lost — lowest-score AI wins.`
	`325`	`+ human = self.players[self._human_seat] # type-safe: human_eliminated guarantees _human_seat is not None`
`325`	`326`	`ai_players = [`
`326`	`327`	`p`
`327`	`328`	`for p in self.players`
`328`		`- if p is not self.players[self._human_seat] and not p.is_eliminated # type: ignore[index]`
	`329`	`+ if p is not human and not p.is_eliminated`
`329`	`330`	`]`
`330`	`331`	`if ai_players:`
`331`	`332`	`self.winner = min(ai_players, key=lambda p: p.penalty_score)`