Ban Management

Ban Management

193k Downloads

Players in database are stored too early

Maxetto opened this issue ยท 9 comments

commented

Issue report

Tell us about your environment
5 Servers
BoNeMEAL Web Application
MySQL 5.6

  • Server Software:
    Spigot

  • Server Version:
    1.8.8

  • BanManager Version:
    5.13.1

  • Online/Offline mode:
    Offline Mode

  • Bungeecoord online/offline mode (if applicable):
    Offline Mode

BanManager config.yml:

# 
# Aliases will be found and blocked automatically, e.g. msg will block tell
debug: false
databases:
  local:
    enabled: true
    host: 127.0.0.1
    port: 3306
    name: bans
    user: username
    password: password
    maxConnections: 10
    leakDetection: 3000
    tables:
      players: hub__bm_players
      playerBans: hub__bm_player_bans
      playerBanRecords: hub__bm_player_ban_records
      playerMutes: hub__bm_player_mutes
      playerMuteRecords: hub__bm_player_mute_records
      playerKicks: hub__bm_player_kicks
      playerNotes: hub__bm_player_notes
      playerHistory: hub__bm_player_history
      playerReports: hub__bm_player_reports
      playerReportLocations: hub__bm_player_report_locations
      playerReportStates: hub__bm_player_report_states
      playerReportCommands: hub__bm_player_report_commands
      playerReportComments: hub__bm_player_report_comments
      playerWarnings: hub__bm_player_warnings
      ipBans: hub__bm_ip_bans
      ipBanRecords: hub__bm_ip_ban_records
      ipMutes: hub__bm_ip_mutes
      ipMuteRecords: hub__bm_ip_mute_records
      ipRangeBans: hub__bm_ip_range_bans
      ipRangeBanRecords: hub__bm_ip_range_ban_records
      rollbacks: hub__bm_rollbacks
      nameBans: hub__bm_name_bans
      nameBanRecords: hub__bm_name_ban_records
  global:
    enabled: true
    host: 127.0.0.1
    port: 3306
    name: bans
    user: username
    password: password
    maxConnections: 10
    leakDetection: 3000
    tables:
      playerBans: bm_player_ban_all
      playerUnbans: bm_player_unban_all
      playerMutes: bm_player_mute_all
      playerUnmutes: bm_player_unmute_all
      playerNotes: bm_player_note_all
      ipBans: bm_ip_ban_all
      ipUnbans: bm_ip_unban_all
mutedCommandBlacklist:
- msg
softMutedCommandBlacklist:
- msg
duplicateIpCheck: true
bypassDuplicateChecks:
- 0.0.0.0
- 127.0.0.1
logKicks: true
logIps: false
displayNotifications: true
broadcastOnSync: true
timeLimits: {}
reportCooldown: 300
warningCooldown: 60
warningActions:
  enabled: true
  actions:
    '1':
    - cmd: tempbanall [player] 7d [reason]
    '2':
    - cmd: tempbanall [player] 14d [reason]
    '3':
    - cmd: banall [player] [reason]
warningMute: false
hooks:
  enabled: true
  events:
    ban:
      post:
      - cmd: banip [player] [reason]
    tempban:
      post:
      - cmd: tempbanip [player] [expires] [reason]
    unban:
      pre:
      - cmd: unbanip [player]
checkForUpdates: false
offlineAutoComplete: false
punishAlts: false
denyAlts: true
cleanUp:
  kicks: 30
  banRecords: 730
  ipBanRecords: 730
  ipMuteRecords: 90
  muteRecords: 90
  readWarnings: 180
  unreadWarnings: 180
maxOnlinePerIp: 0
checkOnJoin: true
createNoteReasons: false
onlineMode: false
chatPriority: normal

Describe your issue:

Database player records are stored too early (during AsyncPlayerPreLoginEvent) and this means, in Offline Mode servers, that there are impossible player names in the database (not alphanumeric + underscore). Expecially spaces in player names makes the plugin show "duplicate record found" when the real name joins the server.

How to replicate:

Join the server with an impossible nickname in Offline Mode with AuthMe Reloaded.
You should get kicked for invalid characters.
Check the BanManager player table, your name should appear even if it's useless since you couldn't join the server.

Further information:

I'd suggest to use PlayerJoinEvent for creating the player record or make an option for it.

commented

Debug mode doesn't seem to work for me. I tried activating it and doing "/bmreload" and also reloading the plugin via PlugMan. I didn't try a full reboot but I don't think it would change much.

The error it prints it's the same I posted before.

commented

Try a full reboot. It's a system property.

commented

You were right, here's the Debug log:

I have "onlineMode: false" in the config.

commented

HIGHEST PRIORITY:
This could lead to Blind SQL Injection whether you use ' inside Player Names!
@confuser

commented

@Maxetto The inserts are parameterised. It shouldn't be possible to perform an SQL injection.

commented
[11:13:22] [Thread-719021/WARN]: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'creed'' at line 1
[11:13:22] [Thread-719021/WARN]: 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[11:13:22] [Thread-719021/WARN]: 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[11:13:22] [Thread-719021/WARN]: 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[11:13:22] [Thread-719021/WARN]: 	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.Util.handleNewInstance(Util.java:407)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.Util.getInstance(Util.java:382)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1052)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3593)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3525)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1986)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2140)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2626)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2111)
[11:13:22] [Thread-719021/WARN]: 	at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2273)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.hikari.pool.ProxyPreparedStatement.executeQuery(ProxyPreparedStatement.java:52)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.hikari.pool.HikariProxyPreparedStatement.executeQuery(HikariProxyPreparedStatement.java)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.jdbc.JdbcCompiledStatement.runQuery(JdbcCompiledStatement.java:55)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.stmt.SelectIterator.<init>(SelectIterator.java:55)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.stmt.StatementExecutor.buildIterator(StatementExecutor.java:247)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.stmt.StatementExecutor.query(StatementExecutor.java:196)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.dao.BaseDaoImpl.query(BaseDaoImpl.java:265)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.stmt.QueryBuilder.query(QueryBuilder.java:361)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.stmt.Where.query(Where.java:503)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.internal.ormlite.dao.BaseDaoImpl.queryForEq(BaseDaoImpl.java:245)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.storage.PlayerStorage.createOrUpdate(PlayerStorage.java:101)
[11:13:22] [Thread-719021/WARN]: 	at me.confuser.banmanager.listeners.JoinListener.onJoin(JoinListener.java:227)
[11:13:22] [Thread-719021/WARN]: 	at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source)
[11:13:22] [Thread-719021/WARN]: 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[11:13:22] [Thread-719021/WARN]: 	at java.lang.reflect.Method.invoke(Method.java:498)
[11:13:22] [Thread-719021/WARN]: 	at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:300)
[11:13:22] [Thread-719021/WARN]: 	at co.aikar.timings.TimedEventExecutor.execute(TimedEventExecutor.java:74)
[11:13:22] [Thread-719021/WARN]: 	at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.java:62)
[11:13:22] [Thread-719021/WARN]: 	at org.bukkit.plugin.SimplePluginManager.fireEvent(SimplePluginManager.java:517)
[11:13:22] [Thread-719021/WARN]: 	at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.java:499)
[11:13:22] [Thread-719021/WARN]: 	at net.minecraft.server.v1_8_R3.LoginListener$LoginHandler.fireEvents(LoginListener.java:248)
[11:13:22] [Thread-719021/WARN]: 	at net.minecraft.server.v1_8_R3.LoginListener$2.run(LoginListener.java:172)
[11:13:22] [Thread-719021/WARN]: 	at java.lang.Thread.run(Thread.java:745)
[11:13:22] [Thread-719021/INFO]: UUID of player Assasins'creed is 36356985-a2c1-33cd-b053-e411d5b43b56

I don't know much about SQLi, but this seems a valid case (in a web page it would have printed error 500)

commented

Can you enable debug mode? Setting in config.yml There will be a lot of noise, but it should output the query. Could be an issue with ORMLite, or the offline UUID generator might be generating an invalid value.

commented

Thanks. Looks like ORMLite requires wrapping these kind of queries in a SelectArg class for some reason. I'll try and prioritise this. Happy to accept a PR if anyone feels up to it.

commented

Well... It's not really fixed.
You fixed the potential SQLi, but at first I asked to move storing of players to the PlayerJoinEvent.