Shopkeepers

Shopkeepers

2M Downloads

Spawn egg exploit(s)

Paril opened this issue ยท 6 comments

commented

There appears to be a few exploits pertaining to Shopkeepers to generate villagers. Two that I tested just to see:

  • Renaming the eggs given to you by Shopkeepers with an Anvil turns them into regular eggs
  • Right-clicking existing villagers with the eggs spawns a baby

Any chance of these being fixed?

commented
  • Renaming the item in anvils will be fixed in the next version (I will close this ticket once that version is released). Alternatively, for the time being, you could also change the shopkeeper creation item inside the config to an item with custom lore and remove the display name requirement.
  • Spawning the baby: This can be disabled by the setting prevent-shop-creation-item-regular-usage (which it is by default). However, note that players with the shopkeeper.bypass permission can still use the shop creation item like a normal item (i.e. spawn the baby), which by default applies to admins (op users).
commented

@Paril There is a built-in limit (1024) to prevent accidental severe misuse. However, anyways, that command isn't really intended for normal users to have access to. Similar to Minecraft's own give command, its a utility that only admins / ops / the server console should have access to by default. You can use it to build your own system of automatically giving players the shopkeeper egg under certain circumstances around it.

If you want to allow players to receive a single shopkeeper egg via a command, you could define an alias specifically for /shopkeeper give 1 (this would require you to temporarily give the player the permission to execute the command), or, probably better, have the console execute /shopkeeper give <player> 1 for the player when they execute the alias command. By having the console execute the command, the player does not require direct access to the full shopkeeper give command.
There are several command alias plugins out there which allow you to set up something like this. Here is an incomplete list of recently updated plugins I found during a very brief search. Some of these are more complex / provide more features than others:

commented

Oh, interesting. I was under the impression that this was the main method of getting eggs to spawn shopkeepers with.

Without them having /shopkeeper give, they'd just create shopkeepers with /shopkeeper then, right?

EDIT: Okay, I see where I got this idea from. When setting the plugin up, I was reading through this page - https://github.com/Shopkeepers/Shopkeepers-Wiki/wiki/Creating-Shops#player-shops - which specifies the egg as the "main" method of creating shops. I just assumed it was a command regular players should have access to.

EDIT2: If using the command, how would an admin create a regular shop without using eggs? They could always use the give since they have access to it, but, it's strange that I can only create admin shops via cmd even when not in creative mode.

commented

@blablubbabc one other thing: apparently /shopkeeper give <other player name> 1000 can be used by anybody to flood somebody elses' inventory with eggs. Is there any way to prevent that? Also, could we have a way to disable or limit the amount given? They only really need 1 egg at a time.

commented

I was under the impression that this was the main method of getting eggs to spawn shopkeepers with.

It is completely left to you to decide how they should get access to the shopkeeper eggs. I usually recommend setting up an admin shopkeeper somewhere around the spawn where players can buy the shopkeeper eggs. But you could also distribute them via mob loot drops or similar.

which specifies the egg as the "main" method of creating shops

It is the main method for players to create shops. But players don't have access to them by default. Some people only use admin shops on their server. Currently, it requires zero setup / configuration after plugin installation: Admins can start creating and experimenting with admin shops, and then subsequently decide to allow their players to create their own shops simply by giving them access to the shopkeeper egg, by whatever means, without having to setup any permissions to make this work (this is also great for minimalistic servers that don't use any permissions plugin).
Ideally, players should not be required to use any of the commands (even though some of them may be useful, such as the list command). Even though there is the option to create player shops via command, this is disabled by default.

I will add a note on this to the linked wiki page to try to make this more clear.
Edit: Done.

If using the command, how would an admin create a regular shop without using eggs?

Following this idea of not having regular players require to use any commands, it should be fine for admins to create their own player shops in exactly the same way as regular players on the server, i.e. via the item. And since they can use the give command, they can get access to the item even if you decide to not allow regular players on the server to create player shops, i.e. even if you don't setup a mechanism (such as an admin shopkeeper) for players to get access to the shopkeeper egg.

commented

v2.13.0 contains a fix for the anvil item renaming issue.