Ban Management

The use of getPlayer() in BungeePlayer is unsound. It is possible for getPlayer() to return null, but the code in BungeePlayer does not account for this.

For example:

BanManager/bungee/src/main/java/me/confuser/banmanager/bungee/BungeePlayer.java

Lines 77 to 79 in acb1ef1

    
           public boolean hasPermission(String permission) { 
        
             return getPlayer().hasPermission(permission); 
        
           }

It does not matter whether the caller checks any preconditions (such as isOnline()). The code would still be vulnerable to a race condition. Take the following situation:

Caller checks BungeePlayer#isOnline; isOnline() returns true
The player represented by BungeePlayer disconnects from the proxy
Caller calls BungeePlayer#hasPermission
A NPE is thrown

	public boolean hasPermission(String permission) {
	return getPlayer().hasPermission(permission);
	}

Share to