Lib.rs

Tiled › Reviews

This review is from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.

The current version of Tiled is 0.13.0.

0.8.0 (older version) Rating: Negative Thoroughness: Medium Understanding: Medium

by MaulingMonkey on 2019-09-02

Do not use on User Generated Content! * Vulnerable to path traversal attacks if fed bogus .tmx files (see Tileset::new_reference) * No obvious protection against zipbombs * A couple cases where bad input will panic, a potential DoS vector.

For game engines, there's also no great way to inject your own virtual filesystem callbacks (again see Tileset::new_reference)

There's also a few missing features: * Wang Tiles * Terrains * "file" Custom Properties

Detail

File Rating Notes
assets/tiled_base64_external.tmx +1
assets/tiled_base64_gzip.tmx +1
assets/tiled_base64_zlib.tmx +1
assets/tiled_base64.tmx +1
assets/tiled_csv.tmx +1
assets/tiled_image_layers.tmx +1
assets/tiled_xml.tmx +1
tilesheet.png +1 Neat looking modern tileset... wonder what the source is!
tilesheet.tsx +1
examples/main.rs +1
src/lib.rs +1
tests/lib.rs +1
.cargo-ok +1
.gitignore +1
.travis.yml +1 Sparse... no MSRV, beta/nightly, etc.
Cargo.toml +1
Cargo.toml.orig +1
CONTRIBUTORS.md +1
README.md +1 Dead link to tileset source
Other Rating Notes
unsafe +1 No unsafe
fs -1 See Tileset::new_reference notes
io 0 Brittle XML parsing, but OK for limited inputs.
docs -1 Barely any.
tests +1

src/lib.rs

Line What Notes
28 get_attrs! Eep
53 parse_tag! Mishandles nested tags... fortunately that's probably not necessary.
97 Colour::from_str British... and a possible source of panics.
161 PropertyValue::new No "file" support (see https://doc.mapeditor.org/en/stable/manual/custom-properties/#adding-properties)
238 Map::new My kingdom for some variable names!
256 Map::new Still using try!
385 Tileset::new_reference Possible path traversal attacks, limits ability to inject your own virtual filesystem.
860 decode_csv I've heard decoding arbitrary CSV is way more complicated than this... but this probably works for tile data as used in tmx files.
883 convert_to_u32 Kinda want this to be based on iterators to avoid an extra alloc...

Lib.rs has been able to verify that all files in the crate's tarball, except Cargo.lock, are in the crate's repository with a git tag matching the version. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open tiled. Alternatively, you can download the tarball of tiled v0.13.0 or view the source online.