Storage Scanner Bypasses Mod protections and Server Protections

Question

Storage Scanner Bypasses Mod protections and Server Protections

Venrixia opened this issue 6 years ago · 22 comments

Venrixia commented 6 years ago

Issue description: The storage scanner can be used to access inventories protected by other mods and plugins. Such as grief prevention or even AE2's Security terminal

Steps to reproduce:
Place Storage scanner and power it.
Scan for inventories.
Pull items from protected inventories.

Versions:

Minecraft: 1.12.2
Forge: forge-1.12.2-14.23.3.2690
CompatLayer (only if on Minecraft 1.10 or 1.11):
McJtyLib: mcjtylib-1.12-2.6.7
RFTools: rftools-1.12-7.33

Server tested on is running spongeforge-1.12.2-2690-7.1.0-BETA-3110 and uses
griefprevention-1.12.2-4.3.0.573 . Tested on Inventories protected by Grief prevention and inventories only protected with appliedenergistics2-rv5-stable-11

LemADEC commented 6 years ago

etc.

josephcsible · Answer 1 · 2018-05-29T00:22:59.000Z

Not sure if this is really considered a bug rather than just how it works, but you can work around this by reducing the maximum radius by a lot or even enabling XNet only mode in the config.

Venrixia · Answer 2 · 2018-05-29T21:44:27.000Z

Storage scanner still bypasses multiple mod protections even when using XNET only mode. Tested in SP with :
Forge-14.23.4.2705
appliedenergistics2-rv5-stable-11
industrialcraft-2-2.8.81-ex112
FTBUtilities-5.1.0.24
FTBLib-5.1.0.19
ThermalExpansion-1.12.2-5.5.0.29-universal
ThermalFoundation-1.12.2-2.5.0.18-universal
CoFHCore-1.12.2-4.5.0.16-universal
CoFHWorld-1.12.2-1.2.0.5-universal

And your mod versions
mcjtylib-1.12-2.6.7
rftools-1.12-7.33
xnet-1.12-1.6.9

josephcsible · Answer 3 · 2018-05-29T21:46:12.000Z

How did you manage to run the XNet cable with the protection in place?

LemADEC · Answer 4 · 2018-05-29T21:47:04.000Z

AE2 protection cover AE2 blocks

LemADEC · Answer 5 · 2018-05-29T21:47:21.000Z

IC2 secured chest only protects the chest block itself

McJty · Answer 6 · 2018-05-30T08:35:44.000Z

The storage scanner asks for the inventory from all affected blocks. I have no way of knowing if that's allowed or not. If it is not allowed then it is up to the block itself (or to the plugin) to prevent returning the data. On my side there is nothing that I can do to fix this as I don't have any information about this protection

LemADEC · Answer 7 · 2018-05-30T08:47:20.000Z

Standard forge events already provides ways to check if a given entity can access a block. It's up to RFTools to properly call those events.

McJty · Answer 8 · 2018-05-30T08:51:16.000Z

Hmm what event would that be? I'm not aware of events that check for this kind of thing

McJty · Answer 9 · 2018-05-30T08:57:26.000Z

The only events that seem related are PlayerInteractEvents but those are not usable as they are meant for player interaction and I don't have a player here

LemADEC · Answer 10 · 2018-05-30T09:00:48.000Z

onBlockActivated is also worth a try.
I'll check later tonight for the forge events.

McJty · Answer 11 · 2018-05-30T09:03:08.000Z

onBlockActivated can have all kinds of side effects (like opening a gui)
Also the boolean return result has nothing to do with it being allowed to access or not

LemADEC · Answer 12 · 2018-05-30T09:06:48.000Z

How does it work with hoppers?

McJty · Answer 13 · 2018-05-30T09:08:46.000Z

I have no idea... I suspect in the case of SpongeForge they have custom code to prevent those (they are part of vanilla after all). But I really don't know

LemADEC · Answer 14 · 2018-05-30T19:25:31.000Z

We don't need sponge to protect block or reproduce the issue here.

McJty · Answer 15 · 2018-05-31T02:56:29.000Z

That can't be right. First that also requires a player (which I don't have, the player isn't doing this, pipes are doing this). Also the comment with this event says:

 * HarvestCheck is fired when a player attempts to harvest a block.<br>
 * This event is fired whenever a player attempts to harvest a block in

Extracting or inserting items is not the same as harvesting a block

LemADEC · Answer 16 · 2018-05-30T20:23:15.000Z

The following blocks can't be emptied by an hopper:

an IC2 personnal safe
a TE Strongbox with a Signalum Security Lock upgrade, set to Owner only
=> there's probably a check missing in the inventory access to those

LemADEC · Answer 17 · 2018-05-30T22:07:38.000Z

The event name is PlayerEvent.HarvestCheck().
The proper way to use it is to call the block::canHarvest() method.

LemADEC · Answer 18 · 2018-05-31T09:24:55.000Z

FakePlayers are specifically there for the case of machines doing a player action while the latest is away or offline.
As the name implies, HarvestCheck is just a check, it doesn't imply that harvesting will actually happen.

McJty · Answer 19 · 2018-05-31T09:56:18.000Z

Yes but I'm not doing any harvesting. Extracting/inserting items and/or energy is not harvesting

McJty · Answer 20 · 2018-05-31T09:57:05.000Z

Also the problem with fake players is that FTB Utilities either blocks those or allows those. If it blocks those it means you cannot use my mods anywhere because the fake player will not be allowed to access blocks that belong to yourself. If it doesn't block then it will work regardless

LemADEC · Answer 21 · 2018-05-31T20:46:47.000Z

This event is used beyond what its name implies since at least MC1.7.10. Make a pull request on Forge if you want finer event handling for MC1.13+.

You can always grab the player who placed the controller, and default to a FakePlayer with that player name if the real one is offline or in another dimension.

Share to