Fixed disguise options permissions being bypassable in some instances, including capitalization

This commit is contained in:
libraryaddict 2020-01-12 17:26:44 +13:00
parent db29352948
commit e70c690751
No known key found for this signature in database
GPG Key ID: 052E4FBCD257AEA4
5 changed files with 30 additions and 8 deletions

View File

@ -537,8 +537,9 @@ public class DisguiseListener implements Listener {
} }
try { try {
DisguiseParser.callMethods(p, disguise, perms, disguisePerm, new ArrayList<>(Arrays.asList(options)), DisguiseParser
options); .callMethods(p, disguise, perms, disguisePerm, new ArrayList<>(Arrays.asList(options)), options,
"DisguiseModifyEntity");
p.sendMessage(LibsMsg.LISTENER_MODIFIED_DISG.get()); p.sendMessage(LibsMsg.LISTENER_MODIFIED_DISG.get());
} }
catch (DisguiseParseException ex) { catch (DisguiseParseException ex) {

View File

@ -58,7 +58,8 @@ public class DisguiseModifyCommand extends DisguiseBaseCommand implements TabCom
options = DisguiseParser.parsePlaceholders(options, sender, sender); options = DisguiseParser.parsePlaceholders(options, sender, sender);
try { try {
DisguiseParser.callMethods(sender, disguise, permissions, disguisePerm, new ArrayList<>(), options); DisguiseParser.callMethods(sender, disguise, permissions, disguisePerm, new ArrayList<>(), options,
"DisguiseModify");
} }
catch (DisguiseParseException ex) { catch (DisguiseParseException ex) {
if (ex.getMessage() != null) { if (ex.getMessage() != null) {

View File

@ -87,7 +87,8 @@ public class DisguiseModifyPlayerCommand extends DisguiseBaseCommand implements
options = DisguiseParser.parsePlaceholders(options, sender, entityTarget); options = DisguiseParser.parsePlaceholders(options, sender, entityTarget);
try { try {
DisguiseParser.callMethods(sender, disguise, permissions, disguisePerm, new ArrayList<>(), options); DisguiseParser.callMethods(sender, disguise, permissions, disguisePerm, new ArrayList<>(), options,
"DisguiseModifyPlayer");
} }
catch (DisguiseParseException ex) { catch (DisguiseParseException ex) {
if (ex.getMessage() != null) { if (ex.getMessage() != null) {

View File

@ -154,7 +154,8 @@ public class DisguiseModifyRadiusCommand extends DisguiseBaseCommand implements
tempArgs = DisguiseParser.parsePlaceholders(tempArgs, sender, entity); tempArgs = DisguiseParser.parsePlaceholders(tempArgs, sender, entity);
try { try {
DisguiseParser.callMethods(sender, disguise, permissions, disguisePerm, new ArrayList<>(), tempArgs); DisguiseParser.callMethods(sender, disguise, permissions, disguisePerm, new ArrayList<>(), tempArgs,
"DisguiseModifyRadius");
modifiedDisguises++; modifiedDisguises++;
} }
catch (DisguiseParseException ex) { catch (DisguiseParseException ex) {

View File

@ -335,6 +335,7 @@ public class DisguiseParser {
* Returns if command user can access the disguise creation permission type * Returns if command user can access the disguise creation permission type
*/ */
private static boolean hasPermissionOption(HashMap<String, Boolean> disguiseOptions, String string) { private static boolean hasPermissionOption(HashMap<String, Boolean> disguiseOptions, String string) {
string = string.toLowerCase();
// If no permissions were defined, return true // If no permissions were defined, return true
if (disguiseOptions.isEmpty()) { if (disguiseOptions.isEmpty()) {
return true; return true;
@ -712,18 +713,19 @@ public class DisguiseParser {
String[] newArgs = new String[args.length - toSkip]; String[] newArgs = new String[args.length - toSkip];
System.arraycopy(args, toSkip, newArgs, 0, args.length - toSkip); System.arraycopy(args, toSkip, newArgs, 0, args.length - toSkip);
callMethods(sender, disguise, permissions, disguisePerm, usedOptions, newArgs); callMethods(sender, disguise, permissions, disguisePerm, usedOptions, newArgs, permNode);
// Alright. We've constructed our disguise. // Alright. We've constructed our disguise.
return disguise; return disguise;
} }
public static void callMethods(CommandSender sender, Disguise disguise, DisguisePermissions disguisePermission, public static void callMethods(CommandSender sender, Disguise disguise, DisguisePermissions disguisePermission,
DisguisePerm disguisePerm, Collection<String> usedOptions, DisguisePerm disguisePerm, Collection<String> usedOptions, String[] args,
String[] args) throws IllegalAccessException, IllegalArgumentException, InvocationTargetException, String permNode) throws IllegalAccessException, IllegalArgumentException, InvocationTargetException,
DisguiseParseException { DisguiseParseException {
Method[] methods = ParamInfoManager.getDisguiseWatcherMethods(disguise.getWatcher().getClass()); Method[] methods = ParamInfoManager.getDisguiseWatcherMethods(disguise.getWatcher().getClass());
List<String> list = new ArrayList<>(Arrays.asList(args)); List<String> list = new ArrayList<>(Arrays.asList(args));
HashMap<String, Boolean> disguiseOptions = null;
for (int argIndex = 0; argIndex < args.length; argIndex++) { for (int argIndex = 0; argIndex < args.length; argIndex++) {
// This is the method name they provided // This is the method name they provided
@ -788,6 +790,22 @@ public class DisguiseParser {
usedOptions.add(methodToUse.getName().toLowerCase()); usedOptions.add(methodToUse.getName().toLowerCase());
} }
if (methodToUse.getName().equalsIgnoreCase("setpainting") ||
methodToUse.getName().equalsIgnoreCase("setpotionid") ||
methodToUse.getName().equalsIgnoreCase("setitemstack") ||
methodToUse.getName().equalsIgnoreCase("setblock")) {
if (disguiseOptions == null) {
disguiseOptions = getDisguiseOptions(sender, permNode, disguisePerm);
}
String stringValue = ParamInfoManager.toString(valueToSet);
if (!hasPermissionOption(disguiseOptions, valueToSet + "")) {
throw new DisguiseParseException(LibsMsg.PARSE_NO_PERM_PARAM, stringValue,
disguisePerm.toReadable());
}
}
doCheck(sender, disguisePermission, disguisePerm, usedOptions); doCheck(sender, disguisePermission, disguisePerm, usedOptions);
if (FlagWatcher.class.isAssignableFrom(methodToUse.getDeclaringClass())) { if (FlagWatcher.class.isAssignableFrom(methodToUse.getDeclaringClass())) {