Essentials gives full permission to non-Player CommandSenders
NorbiPeti opened this issue ยท 1 comments
Information
Full output of /ess version
:
[18:18:20 INFO]: Server version: 1.12.2-R0.1-SNAPSHOT git-Spigot-dcd1643-e60fc34 (MC: 1.12.2)
[18:18:20 INFO]: EssentialsX version: 2.15.0.52
[18:18:20 INFO]: PermissionsEx version: 1.23.4
[18:18:20 INFO]: Vault version: 1.7.1-b91
Server log: -
EssentialsX config: -
Details
Description
I have a plugin that uses a custom CommandSender to send messages and run commands, giving the command output for the players. Essentials currently doesn't check if the sender has OP if it's not a player which causes the /list command to show vanished players for example (and gives access to the rest of the commands too, but I solved that with only whitelisting a couple commands).
Note that I know this probably doesn't affect anyone else (yet?) as this isn't common practice, I can probably make a PR to solve this issue soon(tm) if needed.
Steps to reproduce
- Have a plugin which uses a custom CommandSender (here's the one I'm using, though it's not ready for other servers yet)
- Through the aforementioned plugin, run an Essnetials admin command OR have a vanished player on the server and run /list
If you were up to code a test plugin, make a subclass of CommandSender and use getServer().dispatchCommand
with the sender.
Expected behavior
Essentials either runs the sender through the permission plugin, or if that's not doable then checks sender.isOp().
This shouldn't be a huge issue. You can feel free to make a PR if you want, but I think you should consider making appropriate checks in your command sender instead (as many other plugins can have this same issue). Letting users arbitrarily execute commands with Server::dispatchCommand
just sounds like a bad idea, and so you should either check the permissions of the backing user, or authenticate them properly.