Skip to content

Feature/improvesecuritypipeline#1883

Merged
Quantumrunner merged 4 commits into
masterfrom
feature/improvesecuritypipeline
Jun 20, 2026
Merged

Feature/improvesecuritypipeline#1883
Quantumrunner merged 4 commits into
masterfrom
feature/improvesecuritypipeline

Conversation

@Quantumrunner

Copy link
Copy Markdown
Collaborator

This PR addresses several security vulnerabilities, compiler warnings, and outdated editor references to improve the overall pipeline health and security of the project.

Security / CodeQL Fixes

  • Zip Slip / Path Traversal Mitigation (AssetsManager.cs):
    • Fixed a vulnerability where malicious .split zip entry names could potentially escape the target extraction directory. All zip entries are now correctly validated against the base extraction directory (zipBasePath) before processing.
    • Fixed a bug where .split files were incorrectly being resolved relative to Environment.CurrentDirectory instead of the original zip file's directory.
    • Removed the dead LoadZipFile method and its commented-out call from AssetsManager.cs to permanently eliminate false positives in static analysis scanners.

C# Compiler Warnings

  • CS0108 (Member Hiding): Resolved several CS0108 compiler warnings in the OggEncoder floor book templates (e.g., Line1024X27Class1.cs, Line1024X27Class2.cs, MappingTemplate.cs, ResidueTemplate.cs). The new keyword was properly applied to intentionally hidden properties, yielding cleaner builds without ambiguous hiding warnings.

Unity Editor & Environment Cleanup

  • Duplicate DLL Conflict: Deleted System.IO.Compression.dll (and its .meta file) from Assets/Plugins. Unity 2019.4+ natively includes this assembly; keeping the duplicate DLL caused "Loading assembly failed" conflicts in the Unity Explorer.
  • Legacy GUILayer Warning: Refreshed the Camera object in Assets/Scenes/Game.unity and saved the scene to permanently strip out the deprecated GUILayer component reference. This fixes the persistent warning that appeared every time the scene was loaded in the Unity Editor.

- Addressed CS0108 compiler warnings in `ResidueTemplate.cs` and `MappingTemplate.cs` by removing duplicate field declarations that inadvertently hid inherited base class fields. This also fixes the underlying bug where the base fields were left uninitialized.
- Upgraded CodeQL Actions in the `CodeAndSecurityValidation.yml` workflow from v3 to v4 to resolve the upcoming deprecation warning.
- Added an `on.push` hook to the workflow to satisfy GitHub's Code Scanning requirements for the default branch.
- Explicitly set `build-mode: manual` in the CodeQL initialization step to fix the "undefined build-mode" warning, correctly reflecting that the C# libraries are built manually via MSBuild.
- Added the `new` keyword to all public fields in `Line1024X27Class1` and `Line1024X27Class2` to explicitly hide inherited members from the `IStaticCodeBook` base class.
- This resolves the "hides inherited member" compiler warnings caught during the Code and Security Validation pipeline and brings these files in line with the rest of the auto-generated static code book classes.
…ession DLL

- Fixed a path traversal / Zip Slip vulnerability in `AssetsManager.cs` where malicious `.split` zip entry names could escape the target directory. Validation against `zipBasePath` is now correctly applied to all zip entries before processing.
- Fixed a bug where `.split` files were being resolved relative to `Environment.CurrentDirectory` instead of the original zip file's directory.
- Removed the dead `LoadZipFile` method and its commented-out call from `AssetsManager.cs` to eliminate false positives in static analysis scanners.
- Cleaned up the unused `System.IO.Compression` import in `AssetsManager.cs`.
- Deleted `System.IO.Compression.dll` and its `.meta` file from `Assets/Plugins`. Unity 2019.4 natively includes this assembly, and having a duplicate in the plugins folder caused "Loading assembly failed" conflicts in Unity Explorer.
Component GUI Layer in Camera for Scene Assets/Scenes/Game.unity is no longer available.
It will be removed after you edit this GameObject and save the Scene.
UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()

Component at index 3 could not be loaded when loading game object 'Camera'. Removing it!
UnityEditor.EditorApplication:Internal_CallUpdateFunctions ()
@Quantumrunner Quantumrunner merged commit 752d420 into master Jun 20, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant