Create

Create

Mods
86M Downloads

Schematic Cannon can place Clipboard with malicious names

CKenJa opened this issue ยท 0 comments

commented

Description

Schematic cannon can place clipboards with any Raw Text JSON set in display name.
Additionally, some targets and sources may allow copying any Raw Text JSON using display links.

This means that you can obtain maliciously named clipboards with ClickEvent using schematic cannon without OP.
ClickEvent does not work on item names, only on chat, signs, and Lectern. (maybe)
However, when the name is copied to lectern via depot using a display link, the ClickEvent work.
This issue allows execute command illegally on survival multiplayer servers.
Also, you can use open URL, display string when hover, chat insertion, change page on written book, etc. for survival tricks.

However, I could not confirm whether ClickEvent works this way on signs.
Since this is possible via any mod feature that can copy Raw Text JSON directly, such as item names.
I suggest removing ClickEvents when setting up a clipboard by schematic cannon or writing text to Lectern by display link.

Reproduction Steps

In Creative World:

  1. Use commands to obtain a clipboard with a ClickEvent set in its name.
    example: /give @p create:clipboard{display:{Name:'{"text":"test","clickEvent":{"action":"open_url","value":"https://github.com/Creators-of-Create/Create"}}'}} 1
  2. Place the clipboard
  3. Use a schematic and quill to convert it into a schematic.

In Survival World:

  1. Use schematic cannon to place the created schematic.
  2. Break the clipboard to obtain it as an item.
  3. Copying names into written books using display link, depot, and lectern.
  4. Click on a string from GUI of the lectern

Game Log

https://mclo.gs/zbh5mkZ

Debug Information

Client Info 
Create:
	Mod Version: 0.5.1h
	Forge Version: 47.2.21
	Minecraft Version: 1.20.1

Graphics:
	Flywheel Version: 0.6.11-13
	Flywheel Backend: INSTANCING
	OpenGL Renderer: NVIDIA GeForce RTX 3060/PCIe/SSE2
	OpenGL Version: 4.6.0 NVIDIA 551.61
	Graphics Mode: options.graphics.fancy

System Information:
	Operating System: Windows 11 (amd64) version 10.0
	Java Version: 17.0.4.1, Eclipse Adoptium
	JVM Flags: 3 total; -Xmx4096m -Xms1024m -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump
	Memory: 845591120 bytes (806 MiB) / 2237661184 bytes (2134 MiB) up to 4294967296 bytes (4096 MiB)
	Total Memory: 13476265984 bytes (12846 MiB) / 17114124288 bytes (16314 MiB)
	CPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz @ 3.40 GHz; 4 cores / 8 threads on 1 socket(s)
	Graphics card #0: NVIDIA GeForce RTX 3060 (NVIDIA (0x10de)); 4095.00 MB of VRAM

Other Mods:
Server Info 
Create:
	Mod Version: 0.5.1h
	Forge Version: 47.2.21
	Minecraft Version: 1.20.1

System Information:
	Operating System: Windows 11 (amd64) version 10.0
	Java Version: 17.0.4.1, Eclipse Adoptium
	JVM Flags: 3 total; -Xmx4096m -Xms1024m -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump
	Memory: 845591120 bytes (806 MiB) / 2237661184 bytes (2134 MiB) up to 4294967296 bytes (4096 MiB)
	Total Memory: 13476265984 bytes (12846 MiB) / 17114124288 bytes (16314 MiB)
	CPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz @ 3.40 GHz; 4 cores / 8 threads on 1 socket(s)
	Graphics card #0: NVIDIA GeForce RTX 3060 (NVIDIA (0x10de)); 4095.00 MB of VRAM

Other Mods: