Skip to content

Fix creation and import Exploit#2353

Merged
benwoo1110 merged 1 commit into
Multiverse:mainfrom
xSavior-of-God:master
May 16, 2021
Merged

Fix creation and import Exploit#2353
benwoo1110 merged 1 commit into
Multiverse:mainfrom
xSavior-of-God:master

Conversation

@xSavior-of-God

Copy link
Copy Markdown
Contributor

Through this fix you can avoid deleting of important folders.

Through this fix you can avoid deleting of important folders.

@nicegamer7 nicegamer7 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Here are my thoughts.

@xSavior-of-God

Copy link
Copy Markdown
Contributor Author

If there are no other corrections, I will modify the code and repeat the pull request if necessary.

@nicegamer7

Copy link
Copy Markdown
Member

I'm not actually authorized to accept PRs, so I'd wait until the main dev gives his thoughts until you redo anything.

@dumptruckman dumptruckman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there are no other corrections, I will modify the code and repeat the pull request if necessary.

Sorry for the delay in checking this out. I made some comments so yeah, need a couple changes but otherwise this is great.

@benwoo1110 benwoo1110 added Resolution: Accepted MV-Team is aware of the issue/PR and will be looking into it. Bug: Confirmed Issue/problem with the software. PR: Bugfix Pull requests to fix bugs found in MV. and removed Bug: Confirmed Issue/problem with the software. labels Oct 9, 2020
@nicegamer7 nicegamer7 changed the base branch from master to main November 25, 2020 18:33
@benwoo1110 benwoo1110 mentioned this pull request Dec 20, 2020
16 tasks
@benwoo1110

Copy link
Copy Markdown
Member

Will be integrating this in ACF Command rework. Not sure if we want to merge it before that, like v4.3?

@benwoo1110 benwoo1110 added State: On Hold Issues/PRs that need more to discuss and assess. and removed Resolution: Accepted MV-Team is aware of the issue/PR and will be looking into it. labels Mar 4, 2021
@benwoo1110

Copy link
Copy Markdown
Member

@xSavior-of-God Are you still interested in proceeding on this PR?

@xSavior-of-God

Copy link
Copy Markdown
Contributor Author

Yes, i need this fix!

@benwoo1110 benwoo1110 added State: Needs Review By Dev Pull requests requires the approve of lead dev. and removed State: On Hold Issues/PRs that need more to discuss and assess. labels May 16, 2021
@benwoo1110

Copy link
Copy Markdown
Member

I think I recently added something similar, see https://github.com/Multiverse/Multiverse-Core/blob/main/src/main/java/com/onarandombox/MultiverseCore/utils/WorldNameChecker.java

I suggest you take a look at it and see if it has fixed the exploits you are concern with. I haven't use WorldNameChecker in the create command class, but it's probably easy to implement.

Another thing is I heard of people having sub-folders dir for worlds e.g. hub/worldname, since / is a valid char world worldname. Seems like this pr will prevent this behaviour?

@xSavior-of-God

Copy link
Copy Markdown
Contributor Author

1 year ago I said how to fix/remedy the problem... and to date it has not been fixed...

I also mentioned how to replicate it, which to date may have caused problems for some servers owners... with the hope that it will be fixed as soon as possible, but this was not...

So now I tell you how things are...

Did you know that if you want you can create a world inside folders like /sys/, /var/, /usr/, /root/, /home/, etc...?
I don't know how safe it is to use Multiverse on a productive server... ok it's not recommended to start your server with root user, it's recommended to limit the permissions to the user who start the server.
Everyone obviously manages as they see fit, but a small and simple control or just a limitation via config (such as: "Hey by activating this you can risk hack attacks, such as deletion of important folders...") it could already be convenient, like I just enable it when I need, and I disable it when I don't need it anymore. (also via API if you use mv)

In any case, for example, it would be enough to know the path of the server folder to completely destroy it (or just use "./" that refer to the root of your server) by creating a world inside it and then deleting it... honestly, I told you how to do it and how to fix it, I think, it should be good a simple check of the name that removes the characters like '/', '\' and '.'...


However the problem still persists!

How to replicate delete plugins folder?

Simple just type this 2 commands:

/mv create ./plugins/test.dat/dio/ normal
/mv import ./plugins/ normal

NB: Do not use contains in reverse!

/**
* Checks the current validity status of a world name.
*
* @param worldName The world name to check on.
* @return The resulting name status.
*/
@NotNull
public static NameStatus checkName(@Nullable String worldName) {
if (BLACKLIST_NAMES.contains(worldName)) {
return NameStatus.BLACKLISTED;
}
if (worldName == null || !WORLD_NAME_PATTERN.matcher(worldName).matches()) {
return NameStatus.INVALID_CHARS;
}
return NameStatus.VALID;
}

do it like this

for(String check : BLACKLIST_NAMES) 
  if (worldName.contains(check))
    return NameStatus.BLACKLISTED;

I hope you have understood the seriousness of the problem and that I have not offended you (in case sorry), but above all I hope that the problem will be solved as soon as possible!

@benwoo1110

benwoo1110 commented May 16, 2021

Copy link
Copy Markdown
Member

ideally, we should check based on directory instead of just removing all /, possibly:

  1. Ensure target world folder is within the world container path, not /home /root as you said.
  2. and also it is not sub directory path of certain blacklisted folder, e.g. plugins/ logs/

so that we control, but not straight up deny worlds in sub directory, to prevent breaking changes while fixing this exploit.

@benwoo1110 benwoo1110 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will merge it as it is, and look into configurable options, as well as reducing false positives as I mentioned in the near future.

@benwoo1110 benwoo1110 dismissed dumptruckman’s stale review May 16, 2021 04:55

we merge it first

@benwoo1110 benwoo1110 merged commit f72cc67 into Multiverse:main May 16, 2021
@xSavior-of-God

xSavior-of-God commented May 16, 2021

Copy link
Copy Markdown
Contributor Author

Why do you have to get too complicated?
You can simply make an option in the config that makes it possible to use the '/', '\' and the '.', doing this avoids the biggest problem, then check if it is an important folder like: logs, plugins, libs, etc... (also this last if configurable would be the top)

@benwoo1110

Copy link
Copy Markdown
Member

it's not... too complicated, I'm just providing ideas into how we can improve the world name checking system. Yes - things at mv are slow at times, but we do our best with the limited free time we have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

PR: Bugfix Pull requests to fix bugs found in MV. State: Needs Review By Dev Pull requests requires the approve of lead dev.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants