From 7f33a50977cdceb64fc57d8228bd27af67c79b45 Mon Sep 17 00:00:00 2001 From: Apmunute Date: Sat, 12 Dec 2020 15:00:19 -0300 Subject: [PATCH] Fix exploits (#1) * Fix distance exploit * fix forceload on execute * IDE break or smth idk * fix auto:2b on fill * fix auto:2b on fill * block setblock on execute * block debug on execute * block datapack on execute * block datapack and minecraft:datapack * block summon on execute * Remove the ability for entity selectors to be used in /say * Increase chat delay from 5ms to 50ms * remove debug * maven checkstyle bypass * solve conflicts I think idk if this will work since github * maven checkstyle * yes. * Remove extra whitespace * patch funny reload commands * amazing * whoops * yet another crash exploit * added to commands.yml * convert spaces to tabs Co-authored-by: arclicious Co-authored-by: Business Goose <44676012+business-goose@users.noreply.github.com> --- .../extras/modules/player/PlayerChat.java | 2 +- .../extras/modules/server/ServerCommand.java | 67 ++++++++++++------- 2 files changed, 42 insertions(+), 27 deletions(-) diff --git a/src/main/java/pw/kaboom/extras/modules/player/PlayerChat.java b/src/main/java/pw/kaboom/extras/modules/player/PlayerChat.java index b0dfa6c..8006ad4 100644 --- a/src/main/java/pw/kaboom/extras/modules/player/PlayerChat.java +++ b/src/main/java/pw/kaboom/extras/modules/player/PlayerChat.java @@ -28,7 +28,7 @@ public final class PlayerChat implements Listener { if (PlayerCommand.getCommandMillisList().get(playerUuid) != null) { final long millisDifference = System.currentTimeMillis() - PlayerCommand.getCommandMillisList().get(playerUuid); - if (millisDifference < 5) { + if (millisDifference < 50) { event.setCancelled(true); } } diff --git a/src/main/java/pw/kaboom/extras/modules/server/ServerCommand.java b/src/main/java/pw/kaboom/extras/modules/server/ServerCommand.java index 9dc0a84..1a4ff97 100644 --- a/src/main/java/pw/kaboom/extras/modules/server/ServerCommand.java +++ b/src/main/java/pw/kaboom/extras/modules/server/ServerCommand.java @@ -9,6 +9,33 @@ import org.bukkit.event.Listener; import org.bukkit.event.server.ServerCommandEvent; public final class ServerCommand implements Listener { + public static boolean checkExecuteCommand(final String cmd) { + return ("execute".equalsIgnoreCase(cmd) + || "clone".equalsIgnoreCase(cmd) + || "data".equalsIgnoreCase(cmd) + || "datapack".equalsIgnoreCase(cmd) + || "debug".equalsIgnoreCase(cmd) + || "fill".equalsIgnoreCase(cmd) + || "forceload".equalsIgnoreCase(cmd) + || "kick".equalsIgnoreCase(cmd) + || "me".equalsIgnoreCase(cmd) + || "msg".equalsIgnoreCase(cmd) + || "particle".equalsIgnoreCase(cmd) + || "reload".equalsIgnoreCase(cmd) + || "save-all".equalsIgnoreCase(cmd) + || "say".equalsIgnoreCase(cmd) + || "setblock".equalsIgnoreCase(cmd) + || "spreadplayers".equalsIgnoreCase(cmd) + || "stop".equalsIgnoreCase(cmd) + || "summon".equalsIgnoreCase(cmd) + || "teammsg".equalsIgnoreCase(cmd) + || "teleport".equalsIgnoreCase(cmd) + || "tell".equalsIgnoreCase(cmd) + || "tellraw".equalsIgnoreCase(cmd) + || "tm".equalsIgnoreCase(cmd) + || "tp".equalsIgnoreCase(cmd) + || "w".equalsIgnoreCase(cmd)); + } public static String checkCommand(final CommandSender sender, final String command, final boolean isConsoleCommand) { final String[] arr = command.split(" "); String commandName = arr[0].toLowerCase(); @@ -27,25 +54,7 @@ public final class ServerCommand implements Listener { for (int i = 1; i < arr.length; i++) { if ("run".equalsIgnoreCase(arr[i])) { if (i + 1 < arr.length) { - if ("execute".equalsIgnoreCase(arr[i + 1]) - || "clone".equalsIgnoreCase(arr[i + 1]) - || "fill".equalsIgnoreCase(arr[i + 1]) - || "kick".equalsIgnoreCase(arr[i + 1]) - || "me".equalsIgnoreCase(arr[i + 1]) - || "msg".equalsIgnoreCase(arr[i + 1]) - || "particle".equalsIgnoreCase(arr[i + 1]) - || "reload".equalsIgnoreCase(arr[i + 1]) - || "save-all".equalsIgnoreCase(arr[i + 1]) - || "say".equalsIgnoreCase(arr[i + 1]) - || "spreadplayers".equalsIgnoreCase(arr[i + 1]) - || "stop".equalsIgnoreCase(arr[i + 1]) - || "teammsg".equalsIgnoreCase(arr[i + 1]) - || "teleport".equalsIgnoreCase(arr[i + 1]) - || "tell".equalsIgnoreCase(arr[i + 1]) - || "tellraw".equalsIgnoreCase(arr[i + 1]) - || "tm".equalsIgnoreCase(arr[i + 1]) - || "tp".equalsIgnoreCase(arr[i + 1]) - || "w".equalsIgnoreCase(arr[i + 1])) { + if (checkExecuteCommand(arr[i + 1])) { return "cancel"; } else if (i + 3 < arr.length && "gamerule".equalsIgnoreCase(arr[i + 1])) { @@ -63,8 +72,7 @@ public final class ServerCommand implements Listener { break; } - if ("as".equalsIgnoreCase(arr[i]) - || "at".equalsIgnoreCase(arr[i])) { + if ("as".equalsIgnoreCase(arr[i]) || "at".equalsIgnoreCase(arr[i])) { asAtCount++; } } @@ -76,8 +84,8 @@ public final class ServerCommand implements Listener { break; case "/minecraft:fill": case "/fill": - if (command.contains("auto:1")) { - return command.replace("auto:1", "auto:0"); + if (command.contains("auto")) { + return command.replace("auto", "[auto]"); } case "/minecraft:gamerule": case "/gamerule": @@ -115,7 +123,6 @@ public final class ServerCommand implements Listener { if (Double.parseDouble(arr[4]) > 50) { arr[4] = "50"; } - return String.join(" ", arr); } break; @@ -130,6 +137,14 @@ public final class ServerCommand implements Listener { return "cancel"; } break; + case "/minecraft:say": + case "/say": + for (int i = 0; i < arr.length; i++) { + if (arr[i].toLowerCase().contains("@")) { + return "cancel"; + } + } + break; default: break; } @@ -137,8 +152,8 @@ public final class ServerCommand implements Listener { // Do nothing } - if (command.contains("[distance=")) { - return command.replace("[distance=", "["); + if (command.contains("distance")) { + return command.replace("distance=", "").replace("\"distance\"=", "").replace("'distance'=", ""); } return null;