Type of bug

Exploit

/ess version output

Server: 1.16.5-R0.1-SNAPSHOT git-paper-465
Essentials: 2.19.0-dev+69-adef08a
Vault: 1.7.3-b131

Server startup log

I don't think the log is needed here. Simply says for 16megs: "This person executes sudo."

EssentialsX config files

Pretty sure this is not applicable.

Error log (if applicable)

No response

Bug description

When using sudo you can apply it recursively. This combined with "sudo */**" can allow someone to exponentially multiply his/her commands.
Eg: /sudo ** sudo ** sudo ** c:I am crashing this server."
This can be used to put excessive load on the server. Multiplying 7 times and chatting something significantly impacted our Intel i9 server...

Timings report: https://timings.aikar.co/?id=443249111e304d6abd5ec6653c96b19a

Steps to reproduce

/sudo ** sudo **

Expected behaviour

Stop recursion on /* modifier of limit the amount of recursions.

Actual behaviour

I don't think I need to explain this. :)

I would just want to argue this expects admins to know the impact of such a command, which honestly most of the time they don't. I get your train of thought, but you should probably extend to the preventive measures Sudo took when implementing it's functionality, which by the way targets system-administrators that are knowledgeable in these situations.

So I think it is appropriate to at the very least inform the user when he/she first issues this command, just like Sudo does, or when "sub sudoing" ask for extra confirmation with a warning.

/sudo exists to allow you to run commands as other players without restriction. There are several risks associated with giving people access to /sudo. Don't give people access to /sudo if you don't trust them to use common sense.

@mdcfe What is your view on this?

Essentially it boils down to "don't do that" territory. The /execute command (which is essentially the /sudo command for any entity) doesn't have a check, for example. Sudo (and execute) should really only be given to trusted people. As with any permission, you should be giving specific permissions to specific users or groups, and not just giving everyone essentials.*, for example.
Also, I've never seen actual sudo warn users of its power before use.

I get your stance, but I think my point stands. In the end this is your plugin and you decide what to do with it, so I take peace of mind in the knowledge I at the least informed you about it.

As for the Sudo message here is some history on it. Some setups and even some distributions do disable or change the Sudo-warning. But in my experience this is mainly graphical distributions of Unix where the user shouldn't ever really touch a terminal. Or companies who, and in my eyes who wrongly, disable this on their setup.