SpigotMC/LibsDisguises
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed disguise options permissions being bypassable in some instances, including capitalization

Browse Source
This commit is contained in:
libraryaddict
2020-01-12 17:26:44 +13:00
parent db29352948
commit e70c690751
5 changed files with 30 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/main/java/me/libraryaddict/disguise/utilities/parser/DisguiseParser.java
View File

@@ -335,6 +335,7 @@ public class DisguiseParser {
* Returns if command user can access the disguise creation permission type
*/
private static boolean hasPermissionOption(HashMap<String, Boolean> disguiseOptions, String string) {
string = string.toLowerCase();
// If no permissions were defined, return true
if (disguiseOptions.isEmpty()) {
return true;
@@ -712,18 +713,19 @@ public class DisguiseParser {
String[] newArgs = new String[args.length - toSkip];
System.arraycopy(args, toSkip, newArgs, 0, args.length - toSkip);
callMethods(sender, disguise, permissions, disguisePerm, usedOptions, newArgs);
callMethods(sender, disguise, permissions, disguisePerm, usedOptions, newArgs, permNode);
// Alright. We've constructed our disguise.
return disguise;
}
public static void callMethods(CommandSender sender, Disguise disguise, DisguisePermissions disguisePermission,
DisguisePerm disguisePerm, Collection<String> usedOptions,
String[] args) throws IllegalAccessException, IllegalArgumentException, InvocationTargetException,
DisguisePerm disguisePerm, Collection<String> usedOptions, String[] args,
String permNode) throws IllegalAccessException, IllegalArgumentException, InvocationTargetException,
DisguiseParseException {
Method[] methods = ParamInfoManager.getDisguiseWatcherMethods(disguise.getWatcher().getClass());
List<String> list = new ArrayList<>(Arrays.asList(args));
HashMap<String, Boolean> disguiseOptions = null;
for (int argIndex = 0; argIndex < args.length; argIndex++) {
// This is the method name they provided
@@ -788,6 +790,22 @@ public class DisguiseParser {
usedOptions.add(methodToUse.getName().toLowerCase());
}
if (methodToUse.getName().equalsIgnoreCase("setpainting") ||
methodToUse.getName().equalsIgnoreCase("setpotionid") ||
methodToUse.getName().equalsIgnoreCase("setitemstack") ||
methodToUse.getName().equalsIgnoreCase("setblock")) {
if (disguiseOptions == null) {
disguiseOptions = getDisguiseOptions(sender, permNode, disguisePerm);
}
String stringValue = ParamInfoManager.toString(valueToSet);
if (!hasPermissionOption(disguiseOptions, valueToSet + "")) {
throw new DisguiseParseException(LibsMsg.PARSE_NO_PERM_PARAM, stringValue,
disguisePerm.toReadable());
}
}
doCheck(sender, disguisePermission, disguisePerm, usedOptions);
if (FlagWatcher.class.isAssignableFrom(methodToUse.getDeclaringClass())) {