Chisels & Bits - For Forge

Chisels & Bits - For Forge

Mods
108M Downloads

Missing validation in GivePlayerPatternCommandPacket enables item cheating

Alainx277 opened this issue ยท 1 comments

commented

The GivePlayerPatternCommandPacket can be abused because it does not validate that patternStack is a pattern item:

Chisels-and-Bits/core/src/main/java/mod/chiselsandbits/network/packets/GivePlayerPatternCommandPacket.java

Lines 26 to 36 in 68a99b1

@Override
public void readPayload(final FriendlyByteBuf buffer)
{
patternStack = buffer.readItem();
}
@Override
public void server(final ServerPlayer playerEntity)
{
IPlayerInventoryManager.getInstance().giveToPlayer(playerEntity, patternStack);
}

This makes it possible for a cheater to get any items and set arbitrary NBT data.

Example exploit

event.getDispatcher().register(Commands.literal("exploit")
        .then(Commands.argument("item", ItemArgument.item(event.getBuildContext())).executes(context -> {
            ItemInput item = ItemArgument.getItem(context, "item");
            ItemStack stack = item.createItemStack(1, true);
            stack.setCount(stack.getMaxStackSize());
            ChiselsAndBits.getInstance().getNetworkChannel().sendToServer(new GivePlayerPatternCommandPacket(stack));
            return 1;
        })));

Running /exploit minecraft:diamond on client will give the player a stack of diamonds.

Possible fix:

 @Override 
public void server(final ServerPlayer playerEntity) 
{ 
    if (!patternStack.is(ForgeRegistries.ITEMS.getValue(new ResourceLocation("chiselsandbits:pattern_single_use")))) {
        return;
    }
    IPlayerInventoryManager.getInstance().giveToPlayer(playerEntity, patternStack); 
}
commented

Will be fixed in the next release for 20.4