[Security] Unchecked nested property access causes server crashes

[coderabbitai]

Summary

Multiple handlers access nested properties without null/undefined checks, allowing clients to crash the server with malformed payloads.

Affected Code (examples)

1. server-game/start-game.js:230 - msg.servicesMeta.startTime
2. server-services/start-services.js:189 - ss.config.services.ratelimit.sensitive.cmds
3. server-game/src/client.js:345-346 - this.room.perm.inputCmd, this.room.censor.detect
4. server-game/src/client.js:562-569 - this.player.modifiers.* (multiple)
5. server-services/src/ratelimit.js:37,41,52,56,70,71,84,85 - nested config accesses

Vulnerability

When expected objects/properties are undefined, JavaScript throws TypeError, crashing the process if unhandled.

Impact

• Remote server crash with single crafted message
• Denial of service

Proof of Concept

{"cmd":"requestConfig"}  // crashes on msg.servicesMeta.startTime access

Recommended Fix

1. Use optional chaining (?.) for all nested accesses
2. Add input validation/schema checks at message boundaries
3. Provide safe defaults for config paths

Example:

// Before:
if ((msg.servicesMeta.startTime > ss.config.servicesMeta.startTime) && ss.isPerpetual)

// After:
if ((msg.servicesMeta?.startTime > ss.config.servicesMeta?.startTime) && ss.isPerpetual)

References

• PR: New Blocks & Ported fancyMuzzle flash #43