Only use MD5 when performing metadata lookups

bdach · bdach · commit 776fabd77c5a · 2024-10-30T08:12:30.000+01:00
Both online and offline using the cache. The rationale behind this change is that in the current state of affairs, `TestPartiallyMaliciousSet()` fails in a way that cannot be reconciled without this sort of change. The test exercises a scenario where the beatmap being imported has an online ID in the `.osu` file, but its hash does not match the online hash of the beatmap. This turns out to be a more frequent scenario than envisioned because of users doing stupid things with manual file editing rather than reporting issues properly. The scenario is realistic only because the behaviour of the endpoint responsible for looking up beatmaps is such that if multiple parameters are given (e.g. all three of beatmap MD5, online ID, and filename), it will try the three in succession: https://github.com/ppy/osu-web/blob/f6b341813be270de59ec8f9698428aa6422bc8ae/app/Http/Controllers/BeatmapsController.php#L260-L266 and the local metadata cache implementation reflected this implementation. Because online ID and filename are inherently unreliable in this scenario due to being directly manipulable by clueless or malicious users, neither should not be used as a fallback.
diff --git a/osu.Game/Beatmaps/APIBeatmapMetadataSource.cs b/osu.Game/Beatmaps/APIBeatmapMetadataSource.cs
@@ -33,7 +33,7 @@ public bool TryLookup(BeatmapInfo beatmapInfo, out OnlineBeatmapMetadata? online
 
             Debug.Assert(beatmapInfo.BeatmapSet != null);
 
-            var req = new GetBeatmapRequest(beatmapInfo);
+            var req = new GetBeatmapRequest(beatmapInfo.MD5Hash);
 
             try
             {
diff --git a/osu.Game/Beatmaps/LocalCachedBeatmapMetadataSource.cs b/osu.Game/Beatmaps/LocalCachedBeatmapMetadataSource.cs
@@ -89,9 +89,7 @@ public bool TryLookup(BeatmapInfo beatmapInfo, [NotNullWhen(true)] out OnlineBea
                 return false;
             }
 
-            if (string.IsNullOrEmpty(beatmapInfo.MD5Hash)
-                && string.IsNullOrEmpty(beatmapInfo.Path)
-                && beatmapInfo.OnlineID <= 0)
+            if (string.IsNullOrEmpty(beatmapInfo.MD5Hash))
             {
                 onlineMetadata = null;
                 return false;
@@ -240,11 +238,9 @@ private bool queryCacheVersion1(SqliteConnection db, BeatmapInfo beatmapInfo, ou
             using var cmd = db.CreateCommand();
 
             cmd.CommandText =
-                @"SELECT beatmapset_id, beatmap_id, approved, user_id, checksum, last_update FROM osu_beatmaps WHERE checksum = @MD5Hash OR beatmap_id = @OnlineID OR filename = @Path";
+                @"SELECT beatmapset_id, beatmap_id, approved, user_id, checksum, last_update FROM osu_beatmaps WHERE checksum = @MD5Hash";
 
             cmd.Parameters.Add(new SqliteParameter(@"@MD5Hash", beatmapInfo.MD5Hash));
-            cmd.Parameters.Add(new SqliteParameter(@"@OnlineID", beatmapInfo.OnlineID));
-            cmd.Parameters.Add(new SqliteParameter(@"@Path", beatmapInfo.Path));
 
             using var reader = cmd.ExecuteReader();
 
@@ -281,12 +277,10 @@ private bool queryCacheVersion2(SqliteConnection db, BeatmapInfo beatmapInfo, ou
                 SELECT `b`.`beatmapset_id`, `b`.`beatmap_id`, `b`.`approved`, `b`.`user_id`, `b`.`checksum`, `b`.`last_update`, `s`.`submit_date`, `s`.`approved_date`
                 FROM `osu_beatmaps` AS `b`
                 JOIN `osu_beatmapsets` AS `s` ON `s`.`beatmapset_id` = `b`.`beatmapset_id`
-                WHERE `b`.`checksum` = @MD5Hash OR `b`.`beatmap_id` = @OnlineID OR `b`.`filename` = @Path
+                WHERE `b`.`checksum` = @MD5Hash
                 """;
 
             cmd.Parameters.Add(new SqliteParameter(@"@MD5Hash", beatmapInfo.MD5Hash));
-            cmd.Parameters.Add(new SqliteParameter(@"@OnlineID", beatmapInfo.OnlineID));
-            cmd.Parameters.Add(new SqliteParameter(@"@Path", beatmapInfo.Path));
 
             using var reader = cmd.ExecuteReader();
 
diff --git a/osu.Game/Online/API/Requests/GetBeatmapRequest.cs b/osu.Game/Online/API/Requests/GetBeatmapRequest.cs
@@ -1,6 +1,7 @@
 ﻿// Copyright (c) ppy Pty Ltd <contact@ppy.sh>. Licensed under the MIT Licence.
 // See the LICENCE file in the repository root for full licence text.
 
+using System.Globalization;
 using osu.Framework.IO.Network;
 using osu.Game.Beatmaps;
 using osu.Game.Online.API.Requests.Responses;
@@ -9,23 +10,30 @@ namespace osu.Game.Online.API.Requests
 {
     public class GetBeatmapRequest : APIRequest<APIBeatmap>
     {
-        public readonly IBeatmapInfo BeatmapInfo;
-        public readonly string Filename;
+        public readonly int OnlineID = -1;
+        public readonly string? MD5Hash;
+        public readonly string? Filename;
 
         public GetBeatmapRequest(IBeatmapInfo beatmapInfo)
         {
-            BeatmapInfo = beatmapInfo;
+            OnlineID = beatmapInfo.OnlineID;
+            MD5Hash = beatmapInfo.MD5Hash;
             Filename = (beatmapInfo as BeatmapInfo)?.Path ?? string.Empty;
         }
 
+        public GetBeatmapRequest(string md5Hash)
+        {
+            MD5Hash = md5Hash;
+        }
+
         protected override WebRequest CreateWebRequest()
         {
             var request = base.CreateWebRequest();
 
-            if (BeatmapInfo.OnlineID > 0)
-                request.AddParameter(@"id", BeatmapInfo.OnlineID.ToString());
-            if (!string.IsNullOrEmpty(BeatmapInfo.MD5Hash))
-                request.AddParameter(@"checksum", BeatmapInfo.MD5Hash);
+            if (OnlineID > 0)
+                request.AddParameter(@"id", OnlineID.ToString(CultureInfo.InvariantCulture));
+            if (!string.IsNullOrEmpty(MD5Hash))
+                request.AddParameter(@"checksum", MD5Hash);
             if (!string.IsNullOrEmpty(Filename))
                 request.AddParameter(@"filename", Filename);
 
diff --git a/osu.Game/Tests/Visual/OnlinePlay/TestRoomRequestsHandler.cs b/osu.Game/Tests/Visual/OnlinePlay/TestRoomRequestsHandler.cs
@@ -188,7 +188,7 @@ public bool HandleRequest(APIRequest request, APIUser localUser, BeatmapManager
 
                 case GetBeatmapRequest getBeatmapRequest:
                 {
-                    getBeatmapRequest.TriggerSuccess(createResponseBeatmaps(getBeatmapRequest.BeatmapInfo.OnlineID).Single());
+                    getBeatmapRequest.TriggerSuccess(createResponseBeatmaps(getBeatmapRequest.OnlineID).Single());
                     return true;
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ public bool TryLookup(BeatmapInfo beatmapInfo, out OnlineBeatmapMetadata? online`
`33`	`33`
`34`	`34`	`Debug.Assert(beatmapInfo.BeatmapSet != null);`
`35`	`35`
`36`		`- var req = new GetBeatmapRequest(beatmapInfo);`
	`36`	`+ var req = new GetBeatmapRequest(beatmapInfo.MD5Hash);`
`37`	`37`
`38`	`38`	`try`
`39`	`39`	`{`
Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ public bool HandleRequest(APIRequest request, APIUser localUser, BeatmapManager`
`188`	`188`
`189`	`189`	`case GetBeatmapRequest getBeatmapRequest:`
`190`	`190`	`{`
`191`		`- getBeatmapRequest.TriggerSuccess(createResponseBeatmaps(getBeatmapRequest.BeatmapInfo.OnlineID).Single());`
	`191`	`+ getBeatmapRequest.TriggerSuccess(createResponseBeatmaps(getBeatmapRequest.OnlineID).Single());`
`192`	`192`	`return true;`
`193`	`193`	`}`
`194`	`194`