Security Summary: Dependency-Aware Behavior Tree Loading System

Overview

This document summarizes the security measures implemented in the dependency-aware behavior tree loading system to protect against common vulnerabilities.

Vulnerabilities Addressed

1. Path Traversal Attacks (MEDIUM → FIXED ✅)

Vulnerability: Malicious JSON files could include paths like "../../sensitive_data" or "/etc/passwd" to access files outside the intended directory.

Mitigation Implemented:

Function: IsValidBehaviorTreePath() in BehaviorTreeDependencyScanner.cpp
Validations:
- Rejects paths containing ".." (directory traversal)
- Rejects absolute paths starting with / or \
- Requires paths to start with "Blueprints/" prefix
- Character whitelist: alphanumeric, /, _, -, . only
- Maximum path length: 512 characters
Location: Lines 34-62

Example Rejected Inputs:

"treePath": "../../../etc/passwd"           // Rejected: contains ".."
"treePath": "/absolute/path/to/file.json"   // Rejected: absolute path
"treePath": "Data/AI/tree.json"             // Rejected: wrong prefix
"treePath": "Blueprints/AI/file<script>"    // Rejected: invalid characters

2. Prefab Name Validation (MEDIUM → FIXED ✅)

Vulnerability: Malicious level JSON could include prefab names with path separators to attempt directory traversal.

Mitigation Implemented:

Function: IsValidPrefabName() in BehaviorTreeDependencyScanner.cpp
Validations:
- Rejects names containing ".."
- Rejects names with path separators (/, \)
- Character whitelist: alphanumeric, _, - only
- Maximum name length: 256 characters
Location: Lines 135-154

Example Rejected Inputs:

"type": "../../malicious_prefab"     // Rejected: contains ".."
"type": "path/to/prefab"             // Rejected: contains "/"
"type": "prefab<script>alert()"      // Rejected: invalid characters

3. Resource Exhaustion / DoS (MEDIUM → FIXED ✅)

Vulnerability: Malformed JSON with massive arrays could cause memory exhaustion or processing delays.

Mitigation Implemented:

Layer Limit:

Maximum layers: 1000
Location: ExtractPrefabsFromLevel(), line 180
Error handling: Returns empty set with error message

Objects Per Layer Limit:

Maximum objects per layer: 10,000
Location: ExtractPrefabsFromLevel(), line 197
Error handling: Skips layer with warning

Prefab Scanning Limit:

Maximum prefabs to scan: 5000
Location: ScanPrefabs(), line 109
Error handling: Returns empty dependencies with error message

Example Protection:

// Malicious JSON with 1,000,000 objects - would cause DoS
// System detects and rejects:
[BTDepScanner] WARNING: Too many objects in layer (1000000 > 10000). 
                       Skipping layer to prevent DoS.

4. Log Injection (LOW → FIXED ✅)

Vulnerability: Unvalidated paths in console output could be used for log injection attacks.

Mitigation: All paths are validated before being output to console. Invalid characters are rejected before logging occurs.

5. Hash Collisions (LOW → DOCUMENTED ⚠️)

Status: Known limitation, documented

Details:

FNV-1a hash produces 32-bit IDs
Collision probability is low but non-zero
System handles collisions gracefully by overwriting the previous tree

Risk Assessment:

For typical use (< 1000 BT files): Collision probability < 0.01%
No security impact (only affects functionality)
Would only cause wrong BT to load

Future Enhancement: Could add collision detection and warning

Security Features Summary

Feature	Status	Severity
Path Traversal Protection	✅ Implemented	MEDIUM
Prefab Name Validation	✅ Implemented	MEDIUM
DoS Protection (Layers)	✅ Implemented	MEDIUM
DoS Protection (Objects)	✅ Implemented	MEDIUM
DoS Protection (Prefabs)	✅ Implemented	MEDIUM
Log Injection Prevention	✅ Implemented	LOW
Hash Collision Detection	⚠️ Documented	LOW

Validation Functions

`IsValidBehaviorTreePath(const std::string& treePath)`

Validates behavior tree file paths.

Checks:

Not empty and length ≤ 512 characters
Does not contain ".."
Does not start with / or \
Starts with "Blueprints/"
Contains only: [a-zA-Z0-9/_.-]

Returns: true if valid, false otherwise

`IsValidPrefabName(const std::string& prefabName)`

Validates prefab names extracted from level JSON.

Checks:

Not empty and length ≤ 256 characters
Does not contain ".."
Does not contain / or \
Contains only: [a-zA-Z0-9_-]

Returns: true if valid, false otherwise

Testing Security

Test Cases for Path Validation

// Valid paths (should pass)
"Blueprints/AI/npc_wander.json"
"Blueprints/AI/subfolder/guard_patrol.json"
"Blueprints/AI/tree_v2.0.json"

// Invalid paths (should be rejected)
"../../../etc/passwd"                    // Directory traversal
"/etc/passwd"                            // Absolute path
"C:\\Windows\\system32\\file.json"       // Absolute path (Windows)
"Blueprints/AI/../../../etc/passwd"      // Embedded traversal
"Data/AI/tree.json"                      // Wrong prefix
"Blueprints/AI/file<script>.json"        // Invalid characters

Test Cases for Prefab Name Validation

// Valid names (should pass)
"test_npc_wander"
"guard-entity-v2"
"CompleteNPC"

// Invalid names (should be rejected)
"../../malicious"                        // Directory traversal
"path/to/prefab"                         // Contains path separator
"prefab<script>"                         // Invalid characters

Test Cases for DoS Protection

Large Layer Count:
- Create JSON with 1001 layers
- Expected: Error message, no processing
Large Object Count:
- Create JSON with 10001 objects in a single layer
- Expected: Warning message, layer skipped
Large Prefab Count:
- Create level referencing 5001 unique prefabs
- Expected: Error message, no scanning

Recommendations for Production

Monitoring: Log all security validation failures for monitoring
Rate Limiting: Consider rate limiting level file loading to prevent rapid DoS attempts
File Size Limits: Add maximum JSON file size check before parsing
Audit Trail: Log all BT loading operations for security auditing
Sandboxing: Run level loading in a sandboxed environment if possible

Known Limitations

Hash Collisions: FNV-1a can produce collisions (low probability)
Path Normalization: Does not normalize paths (e.g., ./Blueprints vs Blueprints)
Symlink Following: System may follow symlinks (OS-dependent)

Compliance

This implementation follows secure coding guidelines:

✅ OWASP Top 10 - A03: Injection (prevented)
✅ OWASP Top 10 - A05: Security Misconfiguration (validated input)
✅ CWE-22: Path Traversal (prevented)
✅ CWE-400: Uncontrolled Resource Consumption (mitigated)

Version History

v1.0 (2025-02-12): Initial implementation with full security validations

Last Updated: 2025-02-12
Author: Nicolas Chereau
Security Review Status: ✅ PASSED

Overview​

Vulnerabilities Addressed​

1. Path Traversal Attacks (MEDIUM → FIXED ✅)​

2. Prefab Name Validation (MEDIUM → FIXED ✅)​

3. Resource Exhaustion / DoS (MEDIUM → FIXED ✅)​

4. Log Injection (LOW → FIXED ✅)​

5. Hash Collisions (LOW → DOCUMENTED ⚠️)​

Security Features Summary​

Validation Functions​

IsValidBehaviorTreePath(const std::string& treePath)​

IsValidPrefabName(const std::string& prefabName)​

Testing Security​

Test Cases for Path Validation​

Test Cases for Prefab Name Validation​

Test Cases for DoS Protection​

Recommendations for Production​

Known Limitations​

Compliance​

Version History​

Overview

Vulnerabilities Addressed

1. Path Traversal Attacks (MEDIUM → FIXED ✅)

2. Prefab Name Validation (MEDIUM → FIXED ✅)

3. Resource Exhaustion / DoS (MEDIUM → FIXED ✅)

4. Log Injection (LOW → FIXED ✅)

5. Hash Collisions (LOW → DOCUMENTED ⚠️)

Security Features Summary

Validation Functions

`IsValidBehaviorTreePath(const std::string& treePath)`

`IsValidPrefabName(const std::string& prefabName)`

Testing Security

Test Cases for Path Validation

Test Cases for Prefab Name Validation

Test Cases for DoS Protection

Recommendations for Production

Known Limitations

Compliance

Version History