This review is from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.

0.2.6 (current) Rating: Negative Thoroughness: Medium Understanding: Medium

by MaulingMonkey on 2019-09-05

Do not use on User Generated Content!

  • Vulnerable to path traversal attacks if fed bogus .tmx files (see Tileset::new_reference)
  • A couple cases where bad input will panic, a potential DoS vector.

For game engines, there's also no great way to inject your own virtual filesystem callbacks (again see Tileset::new_reference)

Pros:

  • JSON is lighter weight than XML
  • Fuller format support vs tiled

Cons:

  • No compression
  • API is just as raw in many ways
  • Requires exporting.
  • Slightly unusual license for rust projects (MPL, instead of MIT/Apache 2)

Detail

File Rating Notes
src/layer.rs 0 Raw structures
src/lib.rs +1
src/map.rs +1
src/object.rs +1
src/parsers.rs 0 No decompression support, can panic (not suitable for user generated content)
src/tile_set.rs -1 Not suitable for user generated content!
src/utils.rs +1
src/wangs.rs +1
.cargo_vcs_info.json +1
.cargo-ok +1
Cargo.toml +1
Cargo.toml.orig +1
LICENSE +1
Other Rating Notes
unsafe +1 None
fs -1 Path traversal
io +1 serde
docs +1
tests 0 Not in crate, but found in repository (https://gitlab.com/ljcode/tiled-json-rs/tree/master/tests)

src/layer.rs

Line What Notes
17 TileLayer::chunks Option seems kinda pointless, also this API is meh
129 DrawOrder There are at least 4 draw modes now for layers - although there's also Map / RenderOrder.... blehrg (top->down left->right, top->down right->left, ...)

src/parsers.rs

Line What Notes
129 parse_color blue Despite earlier padding, no guarantee this is valid / may panic (both for overflowing and for not being a unicode boundary.)

src/tile_set.rs

Line What Notes
121 Deserialize for TileSet File::open - path traversal attacks, lack of virtual filesystem support, etc.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open tiled-json-rs. Alternatively, you can download the tarball of tiled-json-rs v0.2.6 or view the source online.