emergency ACE fix patch

i've been told it's caused by pickup triggers using groups above 1,000, so all levels using groups above 1,100 and colors above 1,100 are instantly rejected

in the future it may be worth to abstract this into a level check function, runnable via command-line

src/endpoints/levels/uploadLevel.cr

@@ -66,16 +66,16 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
     if forbidden_obj = level_objects.find do |obj|
       if !obj.has_key?("1")
         false
+      end
+
+      id = obj["1"].to_i
+      if allowed_objects.size > 0
+        if !allowed_objects.includes?(id)
+          true
+        end
       else
-        id = obj["1"].to_i
-        if allowed_objects.size > 0
-          if !allowed_objects.includes?(id)
-            true
-          end
-        else
-          if forbidden_objects.includes?(id)
-            true
-          end
+        if forbidden_objects.includes?(id)
+          true
         end
       end
     end
@@ -83,6 +83,16 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
       return "-1"
     end
 
+    if exploit_obj = level_objects.find do |obj|
+      # target color ID
+      (obj.has_key?("23") && obj["23"].to_i < 0 || obj["23"].to_i > 1100) ||
+      # target group ID
+      (obj.has_key?("51") && obj["51"].to_i < 0 || obj["51"].to_i > 1100)
+    end
+      LOG.info { "preventing upload of level attempting to exploit invalid color/group IDs" }
+      return "-1"
+    end
+
     coins = level_objects.count { |obj| obj["1"]? == "1329" } # user coin id
 
     # todo: check if dual portals even exist?