Merge branch 'master' into 28

Rushaway · web-flow · commit 5b390a1045ac · 2025-12-04T16:45:11.000+01:00
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,244 @@
+# Copilot Instructions for FixSprayExploit Plugin
+
+## Repository Overview
+
+This repository contains a SourcePawn plugin for SourceMod that detects and prevents spray exploits in Source engine games. The plugin protects game servers from malicious spray files that can crash clients by validating spray file headers and blocking invalid uploads.
+
+**Key Functionality:**
+- Real-time spray file validation during upload and usage
+- Automatic blocking and cleanup of malicious spray files  
+- Player punishment (kick/ban) for exploit attempts
+- Integration with SourceBans++ and MaterialAdmin for banning
+- Comprehensive logging of spray activity
+- Support for multiple Source engine games (TF2, CSS, L4D2, etc.)
+
+## Project Structure
+
+```
+addons/sourcemod/
+├── scripting/
+│   ├── FixSprayExploit.sp          # Main plugin implementation (~1150 lines)
+│   └── include/
+│       └── spray_exploit.inc       # Native functions and forwards
+sourceknight.yaml                    # Build configuration
+.github/workflows/ci.yml            # CI/CD pipeline
+```
+
+## Technical Environment
+
+**Language & Platform:**
+- **Language**: SourcePawn (SourceMod scripting language)
+- **Platform**: SourceMod 1.11.0+ (configured for 1.11.0-git6917)
+- **Build Tool**: SourceKnight 0.1
+- **Engine Support**: All Source engine games (TF2, CSS, L4D2, HL2DM, ZPS, etc.)
+
+**Dependencies:**
+- SourceMod 1.11.0-git6917 (auto-downloaded via SourceKnight)
+- SourceBans++ (optional, for enhanced banning)
+- MaterialAdmin (optional, for alternative banning)
+
+## Build System
+
+The project uses **SourceKnight**, a modern SourceMod build tool:
+
+### Build Configuration (`sourceknight.yaml`)
+- **Output**: `/addons/sourcemod/plugins` (compiled `.smx` files)
+- **Target**: `FixSprayExploit` (builds `FixSprayExploit.smx`)
+- **Dependencies**: Auto-downloaded and unpacked during build
+
+### Building Locally
+```bash
+# Install SourceKnight if not available
+# Build the plugin
+sourceknight build
+
+# Output will be in .sourceknight/package/addons/sourcemod/plugins/
+```
+
+**Note**: SourceKnight may not be available in all environments. The GitHub Actions CI/CD pipeline is the primary build method. For local development, you can use the traditional SourceMod compiler (`spcomp`) if needed.
+
+### CI/CD Pipeline
+- Uses GitHub Actions with `maxime1907/action-sourceknight@v1`
+- Builds on Ubuntu 24.04
+- Creates release packages automatically
+- Tags `latest` release from main/master branch
+
+## Code Architecture
+
+### Main Plugin (`FixSprayExploit.sp`)
+
+**Core Components:**
+1. **File Validation Engine** (lines 995-1105): Validates spray file headers against known exploit patterns
+2. **Player Spray Monitoring** (lines 744-827): Hooks `Player Decal` temp entities to intercept spray attempts  
+3. **File Receive/Send Hooks** (lines 914-992): Monitors file transfers to/from clients
+4. **Punishment System** (lines 887-912): Handles kicking/banning of exploit users
+5. **Cleanup System** (lines 582-680): Moves invalid sprays to backup folder
+
+**Key Data Structures:**
+- `g_smChecked`: StringMap cache of validated files
+- `g_smReceive`: StringMap tracking received files  
+- `g_smWaiting`: StringMap preventing duplicate log spam
+- `g_iVal[]`: Expected byte pattern for valid spray headers
+
+### Include File (`spray_exploit.inc`)
+
+**Provides:**
+- `OnSprayExploit(client, index, value)` forward for third-party plugins
+- `SprayExploitFixer_LogCustom()` native for custom logging
+
+## SourcePawn Coding Guidelines
+
+### Style Requirements
+- Use `#pragma semicolon 1` and `#pragma newdecls required`
+- Indentation: 4 spaces (represented as tabs)
+- Variables: camelCase for locals, PascalCase for functions, prefix globals with `g_`
+- No unnecessary headers/comments (plugin has extensive changelog - avoid this pattern)
+- Delete trailing spaces
+
+### Best Practices Applied
+✅ **Memory Management**: Uses `delete` for StringMaps/ArrayLists instead of `.Clear()`
+✅ **Async Operations**: File operations use timers to prevent timeouts
+✅ **StringMaps over Arrays**: Efficient data storage
+✅ **Error Handling**: Comprehensive validation and logging
+✅ **Performance**: Caching validated files, batched processing
+
+### Anti-Patterns to Avoid
+❌ Extensive changelog headers (existing code has this but avoid in new code)
+❌ Using `.Clear()` on StringMaps (causes memory leaks)
+❌ Synchronous file operations in loops
+❌ Hardcoded values without configuration
+
+## Development Workflows
+
+### Adding New Exploit Detection
+1. Update `g_iVal[]` array with new byte patterns
+2. Modify `ValFile()` function for new validation logic
+3. Add corresponding test cases to `RecursiveSearchDirs()`
+4. Update `g_hCvarPunish` handling if needed
+
+### Integrating New Banning Systems
+1. Add optional include: `#tryinclude <newsystem>`
+2. Add library detection in `OnLibraryAdded()/OnLibraryRemoved()`
+3. Extend `TestClient()` function with new banning method
+4. Mark natives as optional in `AskPluginLoad2()`
+
+### Performance Optimization
+- Monitor `MAX_READ` constant (current: 50 files per batch)
+- Use `TIMEOUT_LOG` to prevent log spam (current: 10.0 seconds)
+- Cache results in StringMaps to avoid repeated validation
+- Use `RequestFrame()` for async operations
+
+## Testing & Validation
+
+### Manual Testing
+```bash
+# Test spray file validation
+sm_spray_test
+
+# Monitor real-time activity  
+sm_cvar spray_exploit_fixer_log 1
+sm_cvar spray_exploit_fixer_msg 1
+```
+
+### Integration Testing
+- Test with SourceBans++ integration (`g_bSourceBans`)
+- Test with MaterialAdmin integration (`g_bMaterialAdmin`)
+- Validate different engine support (TF2 has special handling)
+- Test file cleanup and backup functionality
+
+### Configuration Testing
+```bash
+# Test punishment modes
+sm_cvar spray_exploit_fixer_punish 1  # PlayerDecal only
+sm_cvar spray_exploit_fixer_punish 2  # FileCheck only  
+sm_cvar spray_exploit_fixer_punish 3  # Both
+
+# Test banning (not available in TF2)
+sm_cvar spray_exploit_fixer_ban 1
+sm_cvar spray_exploit_fixer_kick 1
+sm_cvar spray_exploit_fixer_bantime 5
+```
+
+## Security Considerations
+
+### Exploit Detection Logic
+- **Header Validation**: Checks VTF file header against `g_iVal[]` patterns
+- **RIFF/WAVE Detection**: Special handling for audio files (lines 1053-1058)
+- **Size Validation**: Prevents oversized dimensions (lines 1079-1086)
+- **Flag Validation**: Blocks dangerous VTF flags (line 1086)
+
+### File System Security
+- Moves invalid files to `backup_sprays/` folder instead of deletion
+- Validates file paths to prevent directory traversal
+- Handles both `.dat` and `.dat.ztmp` file extensions
+- Recursive cleanup of empty directories
+
+## File Exclusions (.gitignore)
+
+The following should be excluded from version control:
+- `build/`, `release/` - Build artifacts
+- `*.smx` - Compiled plugins  
+- `plugins/` - Plugin binaries
+- `.sourceknight/` - SourceKnight build cache
+- `.venv/` - Python virtual environments
+
+## Common Tasks
+
+### Adding ConVar
+```sourcepawn
+ConVar g_hCvarNewSetting = CreateConVar("spray_exploit_fixer_newsetting", "0", "Description");
+AutoExecConfig(true, "spray_exploit_fixer");
+```
+
+### Adding New Log Message
+```sourcepawn
+if( g_hCvarLog.IntValue ) LogCustom("New event: %s from %N", data, client);
+if( g_hCvarMsg.IntValue ) PrintToServer("[Spray Exploit] New event: %s", data);
+```
+
+### Extending File Validation
+```sourcepawn
+// In ValFile() function, add new checks:
+if( condition_check ) {
+    return i; // Return position of invalid byte
+}
+```
+
+## Debugging & Troubleshooting
+
+### Common Issues
+1. **Build Failures**: Check SourceKnight version compatibility
+2. **File Not Found**: Verify `spray_exploit_fixer_path` cvar is correct
+3. **Memory Leaks**: Ensure StringMaps are `delete`d, not `.Clear()`ed
+4. **Timeouts**: Increase batch size or timer delays for large file sets
+
+### Debug Logging
+- Set `spray_exploit_fixer_log 1` for all activity
+- Set `spray_exploit_fixer_msg 1` for console output
+- Check `sourcemod/logs/spray_downloads.log` for detailed logs
+
+### Performance Monitoring
+- Monitor `g_iTotal` counter in batch processing
+- Check `g_fTime` for operation duration in `CmdSprays`
+- Watch for script execution timeouts during file operations
+
+This plugin demonstrates advanced SourcePawn techniques for file validation, async processing, and multi-platform compatibility. Focus on maintaining the security-first approach while ensuring server performance.
+
+## Quick Reference
+
+### Key Files
+- `addons/sourcemod/scripting/FixSprayExploit.sp` - Main plugin (1150 lines)
+- `addons/sourcemod/scripting/include/spray_exploit.inc` - API definitions
+- `sourceknight.yaml` - Build configuration
+- `.github/workflows/ci.yml` - CI/CD pipeline
+
+### Important Constants
+- `MAX_READ = 50` - Files processed per batch
+- `TIMEOUT_LOG = 10.0` - Seconds between duplicate log entries
+- `PATH_BACKUP = "backup_sprays"` - Invalid spray storage folder
+
+### Key CVars
+- `spray_exploit_fixer_punish` - Which exploits to test (0-3)
+- `spray_exploit_fixer_ban` - Ban malicious users (0-1)
+- `spray_exploit_fixer_log` - Logging level (0-2)
+- `spray_exploit_fixer_msg` - Console output level (0-2)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,11 +9,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04]
+        os: [ubuntu-24.04]
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Build sourcemod plugin
         uses: maxime1907/action-sourceknight@v1
         with:
@@ -25,7 +25,7 @@ jobs:
           cp -R .sourceknight/package/* /tmp/package
 
       - name: Upload build archive for test runners
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ${{ runner.os }}
           path: /tmp/package
@@ -35,7 +35,7 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main'
 
       - uses: dev-drprasad/delete-tag-and-release@v1.1
@@ -59,7 +59,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v6
+        with:
+          name: ${{ runner.os }}
+          path: artifacts
 
       - name: Versioning
         run: |
@@ -71,12 +74,11 @@ jobs:
 
       - name: Package
         run: |
+          cd artifacts
           ls -Rall
-          if [ -d "./Linux/" ]; then
-            cd ./Linux/
-            tar -czf ../${{ github.event.repository.name }}-${{ env.RELEASE_VERSION }}.tar.gz -T <(\ls -1)
-            cd -
-          fi
+          tar -czf ../${{ github.event.repository.name }}-${{ env.RELEASE_VERSION }}.tar.gz .
+          cd ..
+          ls -la *.tar.gz
 
       - name: Release
         uses: svenstaro/upload-release-action@v2
diff --git a/addons/sourcemod/scripting/include/spray_exploit.inc b/addons/sourcemod/scripting/include/spray_exploit.inc
@@ -0,0 +1,55 @@
+/*
+*	Spray Exploit Fixer
+*	Copyright (C) 2025 Silvers
+*
+*	This program is free software: you can redistribute it and/or modify
+*	it under the terms of the GNU General Public License as published by
+*	the Free Software Foundation, either version 3 of the License, or
+*	(at your option) any later version.
+*
+*	This program is distributed in the hope that it will be useful,
+*	but WITHOUT ANY WARRANTY; without even the implied warranty of
+*	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*	GNU General Public License for more details.
+*
+*	You should have received a copy of the GNU General Public License
+*	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+#if defined _spray_exploit_included
+ #endinput
+#endif
+#define _spray_exploit_included
+
+
+public SharedPlugin __pl_spray_exploit = 
+{
+	name = "spray_exploit_fixer",
+	file = "spray_exploit_fixer.smx",
+#if defined REQUIRE_PLUGIN
+	required = 1,
+#else
+	required = 0,
+#endif
+};
+
+
+
+/**
+* @brief Triggers when a clients spray was detected
+*
+* @param	client		client index of the detected player
+* @param	index		position of detection
+* @param	value		value detected
+*
+* @noreturn
+*/
+forward void OnSprayExploit(int client, int index, int value);
+
+/**
+ * Log a message into logs/spray_downloads.log
+ *
+ * @param format	Message to log
+ * @noreturn
+*/
+native void SprayExploitFixer_LogCustom(const char[] format, any ...);
