Player id and ban reason flowed unsanitized into the single-line RCON command,
so a control char (newline/CR) in 'reason' could break the framing and inject a
second console command — an RBAC-escalation vector (a Moderator-role user could
run arbitrary RCON via the ban reason field).
- validate player id against a safe token charset /^[A-Za-z0-9_.:-]{1,64}$/ and
reject otherwise (multi-game safe — not a Rust-only SteamID64 regex, so
Conan/Funcom and Dune ids still pass)
- strip C0 control chars from reason, collapse whitespace, cap at 200 chars
- coerce ban duration to a non-negative integer
Flagged by automated commit security review. Backend tsc green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
215355d1cb