Paper/patches/server/0918-Validate-ResourceLocation-in-NBT-reading.patch

156 lines
11 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nassim Jahnke <nassim@njahnke.dev>
Date: Thu, 4 Jan 2024 13:49:14 +0100
Subject: [PATCH] Validate ResourceLocation in NBT reading
diff --git a/src/main/java/net/minecraft/nbt/NbtUtils.java b/src/main/java/net/minecraft/nbt/NbtUtils.java
2024-06-14 10:56:28 +02:00
index 4929bac8e476664086470f078efce6c0a6164413..f88dd37783b3c155c23b547c360b8d3c16e030c0 100644
--- a/src/main/java/net/minecraft/nbt/NbtUtils.java
+++ b/src/main/java/net/minecraft/nbt/NbtUtils.java
2024-04-25 01:25:57 +02:00
@@ -149,8 +149,10 @@ public final class NbtUtils {
if (!nbt.contains("Name", 8)) {
return Blocks.AIR.defaultBlockState();
} else {
2024-06-14 10:56:28 +02:00
- ResourceLocation resourceLocation = ResourceLocation.parse(nbt.getString("Name"));
- Optional<? extends Holder<Block>> optional = blockLookup.get(ResourceKey.create(Registries.BLOCK, resourceLocation));
+ // Paper start - Validate resource location
+ ResourceLocation resourceLocation = ResourceLocation.tryParse(nbt.getString("Name"));
+ Optional<? extends Holder<Block>> optional = resourceLocation != null ? blockLookup.get(ResourceKey.create(Registries.BLOCK, resourceLocation)) : Optional.empty();
+ // Paper end - Validate resource location
if (optional.isEmpty()) {
return Blocks.AIR.defaultBlockState();
} else {
diff --git a/src/main/java/net/minecraft/resources/ResourceLocation.java b/src/main/java/net/minecraft/resources/ResourceLocation.java
2024-06-14 10:56:28 +02:00
index 87afe84791af2d5e9f869cd4c09eed4bb5fee75b..1967c43ee3a12e63365cc40ee6565307e2fd73cf 100644
--- a/src/main/java/net/minecraft/resources/ResourceLocation.java
+++ b/src/main/java/net/minecraft/resources/ResourceLocation.java
2024-06-14 10:56:28 +02:00
@@ -41,6 +41,13 @@ public final class ResourceLocation implements Comparable<ResourceLocation> {
assert isValidPath(path);
+ // Paper start - Validate ResourceLocation
+ // Check for the max network string length (capped at Short.MAX_VALUE) as well as the max bytes of a StringTag (length written as an unsigned short)
+ final String resourceLocation = namespace + ":" + path;
+ if (resourceLocation.length() > Short.MAX_VALUE || io.netty.buffer.ByteBufUtil.utf8MaxBytes(resourceLocation) > 2 * Short.MAX_VALUE + 1) {
+ throw new ResourceLocationException("Resource location too long: " + resourceLocation);
+ }
+ // Paper end - Validate ResourceLocation
this.namespace = namespace;
this.path = path;
}
diff --git a/src/main/java/net/minecraft/world/RandomizableContainer.java b/src/main/java/net/minecraft/world/RandomizableContainer.java
Updated Upstream (Bukkit/CraftBukkit/Spigot) (#11405) Upstream has released updates that appear to apply and compile correctly. This update has not been tested by PaperMC and as with ANY update, please do your own testing Bukkit Changes: 1fc1020a PR-1049: Add MenuType API 8ae2e3be PR-1055: Expand riptiding API cac68bfb SPIGOT-7890: AttributeModifier#getUniqueId() doesn't match the UUID passed to its constructor 7004fcf2 SPIGOT-7886: Fix mistake in AttributeModifier UUID shim 1ac7f950 PR-1054: Add FireworkMeta#hasPower 4cfb565f SPIGOT-7873: Add powered state for skulls CraftBukkit Changes: bbb30e7a8 SPIGOT-7894: NPE when sending tile entity update ba21e9472 SPIGOT-7895: PlayerItemBreakEvent not firing 0fb24bbe0 SPIGOT-7875: Fix PlayerItemConsumeEvent cancellation causing client-side desync 815066449 SPIGOT-7891: Can't remove second ingredient of MerchantRecipe 45c206f2c PR-1458: Add MenuType API 19c8ef9ae SPIGOT-7867: Merchant instanceof AbstractVillager always returns false 4e006d28f PR-1468: Expand riptiding API bd8aded7d Ignore checks in CraftPlayerProfile for ResolvableProfile used in profile components 8679620b5 SPIGOT-7889: Fix tool component deserialisation without speed and/or correct-for-drops 8d5222691 SPIGOT-7882, PR-1467: Fix conversion of name in Profile Component to empty if it is missing 63f91669a SPIGOT-7887: Remove duplicate ProjectileHitEvent for fireballs 7070de8c8 SPIGOT-7878: Server#getLootTable does not return null on invalid loot table 060ee6cae SPIGOT-7876: Can't kick player or disconnect player in PlayerLoginEvent when checking for cookies 7ccb86cc0 PR-1465: Add FireworkMeta#hasPower 804ad6491 SPIGOT-7873: Add powered state for skulls f9610cdcb Improve minecart movement Spigot Changes: a759b629 Rebuild patches Co-authored-by: Jake Potrebic <jake.m.potrebic@gmail.com>
2024-09-15 21:39:53 +02:00
index 084935138b1484f3d96e99f4e5655a6c04931907..9e357abe13f55bd9ce3a1d5348bcf19a15ea5433 100644
--- a/src/main/java/net/minecraft/world/RandomizableContainer.java
+++ b/src/main/java/net/minecraft/world/RandomizableContainer.java
@@ -50,7 +50,7 @@ public interface RandomizableContainer extends Container {
default boolean tryLoadLootTable(CompoundTag nbt) {
if (nbt.contains("LootTable", 8)) {
2024-06-14 10:56:28 +02:00
- this.setLootTable(ResourceKey.create(Registries.LOOT_TABLE, ResourceLocation.parse(nbt.getString("LootTable"))));
2024-05-29 20:17:56 +02:00
+ this.setLootTable(net.minecraft.Optionull.map(ResourceLocation.tryParse(nbt.getString("LootTable")), rl -> ResourceKey.create(Registries.LOOT_TABLE, rl))); // Paper - Validate ResourceLocation
if (this.lootableData() != null && this.getLootTable() != null) this.lootableData().loadNbt(nbt); // Paper - LootTable API
if (nbt.contains("LootTableSeed", 4)) {
this.setLootTableSeed(nbt.getLong("LootTableSeed"));
diff --git a/src/main/java/net/minecraft/world/entity/EntityType.java b/src/main/java/net/minecraft/world/entity/EntityType.java
2024-06-14 10:56:28 +02:00
index b98f9246b60daf31460f41ce214dfa7c011f5684..842b0cec0397d7ae5166617627340ffac0e35db1 100644
--- a/src/main/java/net/minecraft/world/entity/EntityType.java
+++ b/src/main/java/net/minecraft/world/entity/EntityType.java
2024-04-25 01:25:57 +02:00
@@ -623,7 +623,7 @@ public class EntityType<T extends Entity> implements FeatureElement, EntityTypeT
}
public static Optional<EntityType<?>> by(CompoundTag nbt) {
2024-06-14 10:56:28 +02:00
- return BuiltInRegistries.ENTITY_TYPE.getOptional(ResourceLocation.parse(nbt.getString("id")));
+ return BuiltInRegistries.ENTITY_TYPE.getOptional(ResourceLocation.tryParse(nbt.getString("id"))); // Paper - Validate ResourceLocation
}
@Nullable
2024-02-01 10:53:15 +01:00
diff --git a/src/main/java/net/minecraft/world/entity/LivingEntity.java b/src/main/java/net/minecraft/world/entity/LivingEntity.java
Updated Upstream (Bukkit/CraftBukkit/Spigot) (#11405) Upstream has released updates that appear to apply and compile correctly. This update has not been tested by PaperMC and as with ANY update, please do your own testing Bukkit Changes: 1fc1020a PR-1049: Add MenuType API 8ae2e3be PR-1055: Expand riptiding API cac68bfb SPIGOT-7890: AttributeModifier#getUniqueId() doesn't match the UUID passed to its constructor 7004fcf2 SPIGOT-7886: Fix mistake in AttributeModifier UUID shim 1ac7f950 PR-1054: Add FireworkMeta#hasPower 4cfb565f SPIGOT-7873: Add powered state for skulls CraftBukkit Changes: bbb30e7a8 SPIGOT-7894: NPE when sending tile entity update ba21e9472 SPIGOT-7895: PlayerItemBreakEvent not firing 0fb24bbe0 SPIGOT-7875: Fix PlayerItemConsumeEvent cancellation causing client-side desync 815066449 SPIGOT-7891: Can't remove second ingredient of MerchantRecipe 45c206f2c PR-1458: Add MenuType API 19c8ef9ae SPIGOT-7867: Merchant instanceof AbstractVillager always returns false 4e006d28f PR-1468: Expand riptiding API bd8aded7d Ignore checks in CraftPlayerProfile for ResolvableProfile used in profile components 8679620b5 SPIGOT-7889: Fix tool component deserialisation without speed and/or correct-for-drops 8d5222691 SPIGOT-7882, PR-1467: Fix conversion of name in Profile Component to empty if it is missing 63f91669a SPIGOT-7887: Remove duplicate ProjectileHitEvent for fireballs 7070de8c8 SPIGOT-7878: Server#getLootTable does not return null on invalid loot table 060ee6cae SPIGOT-7876: Can't kick player or disconnect player in PlayerLoginEvent when checking for cookies 7ccb86cc0 PR-1465: Add FireworkMeta#hasPower 804ad6491 SPIGOT-7873: Add powered state for skulls f9610cdcb Improve minecart movement Spigot Changes: a759b629 Rebuild patches Co-authored-by: Jake Potrebic <jake.m.potrebic@gmail.com>
2024-09-15 21:39:53 +02:00
index 13ef1ad250b56dbadba0244186e369d7ba9b5c0e..94169703c5a8111df1ed550d57f59f4a3bb97ae1 100644
2024-02-01 10:53:15 +01:00
--- a/src/main/java/net/minecraft/world/entity/LivingEntity.java
+++ b/src/main/java/net/minecraft/world/entity/LivingEntity.java
Updated Upstream (Bukkit/CraftBukkit/Spigot) (#11024) * Updated Upstream (Bukkit/CraftBukkit/Spigot) Upstream has released updates that appear to apply and compile correctly. This update has not been tested by PaperMC and as with ANY update, please do your own testing Bukkit Changes: e86f4dc4 PR-1041: Improve getPlayer(String) docs to clarify it matches the name 9738f005 Fix spawner API documentation 69ebd9fd PR-1034: Add TrialSpawnerSpawnEvent 23cffd9c PR-973: Improve spawner API and add API for Trial Spawners 8bf19163 PR-1038: Clarify HumanEntity#openInventory(InventoryView) JavaDoc 1ff76351 SPIGOT-7732, SPIGOT-7786: Add freezing damage modifier 02161cb4 PR-1034: Add CreatureSpawnEvent.SpawnReason#TRIAL_SPAWNER f9cb6f34 SPIGOT-7777: All entity potion effects are removed on death 25d548eb PR-1031: Expose Creeper igniter ccbf0915 SPIGOT-7770: Reserve spaces in shaped recipes for blank ingredients 17f7097c Clarify ambiguity around what is API 71714f0c Remove note from InventoryView JavaDoc aaf49731 PR-1030: Deprecate more unused methods in UnsafeValues 3a9dc689 SPIGOT-7771: Material.getDefaultAttributes always returns an empty map CraftBukkit Changes: c3ceeb6f7 SPIGOT-7814: Call PlayerShearEntityEvent for Bogged 97b1e4f58 Fix wolf armor not dropping from use of shears fd2ef563a SPIGOT-7812: Revert "SPIGOT-7809: Restore shield/banner conversion for base colours" f672c351b SPIGOT-7811: Enchantments are applied on sweeping attack even if damage event is cancelled cfe29350b SPIGOT-7808: Fix implementation of Enchantment#getName() for bad name return 19335f69e SPIGOT-7809: Restore shield/banner conversion for base colours ae4f5a0be SPIGOT-7805: Fix jukebox deserialization 62e3b73a4 SPIGOT-7804: Fix written book serialization aac911d26 SPIGOT-7800, SPIGOT-7801: Keep vanilla behaviour for items dropped on player death 13ece474f PR-1429: Implement TrialSpawnerSpawnEvent bf13e9113 PR-1354: Improve spawner API and add API for Trial Spawners 515fe49e1 Increase outdated build delay 9cd5a19a0 SPIGOT-7794: Cancelling InventoryItemMoveEvent destroys items ce40c7b14 SPIGOT-7796: Kickplayer newlines not working 5167256ff SPIGOT-7795: Fix damage/stats ignore the invulnerable damage time f993563ee Improve cross-world teleportation handling ab29122cf PR-1433: HumanEntity#openInventory(InventoryView) should only support views belonging to the player 764a541c5 SPIGOT-7732: Issue with the "hurt()" method of EntityLiving and invulnerable time 820084b5f SPIGOT-7791: Skull BlockState with null profile causes NullPointerException 5e46f1c82 SPIGOT-7785: Teleporting a player at the right moment can mess up vanilla teleportation cbd95a6b3 SPIGOT-7772: Include hidden / non-sampled players in player count 3153debc5 SPIGOT-7790: Server crashes after bee nest is forced to update e77bb26bb SPIGOT-7788: The healing power of friendship advancement is never granted ee3d7258a SPIGOT-7789: Fix NPE in CraftMetaFirework applyToItem 2889b3a11 PR-1429: Add CreatureSpawnEvent.SpawnReason#TRIAL_SPAWNER cdd05bc7f SPIGOT-7777: Speed attribute stays after death; missing EntityPotionEffectEvent call d0e6af2d4 PR-1428: Expose Creeper igniter d01c70e93 PR-1425: Fix bytecode transformation taking care of class-to-interface compatibility. b2b08f68c SPIGOT-7770: Fix certain shaped recipes not registering 3f8e4161f PR-1426: Deprecate more unused methods in UnsafeValues 2c9dd879e SPIGOT-7771: Material.getDefaultAttributes always returns an empty map Spigot Changes: 491f3675 Rebuild patches 0a642bd7 Rebuild patches 8897571b Rebuild patches cb8cf80c Fix newlines in custom restart message 1aabe506 Rebuild patches
2024-07-06 21:19:14 +02:00
@@ -887,11 +887,13 @@ public abstract class LivingEntity extends Entity implements Attackable {
2024-02-01 10:53:15 +01:00
if (nbt.contains("SleepingX", 99) && nbt.contains("SleepingY", 99) && nbt.contains("SleepingZ", 99)) {
BlockPos blockposition = new BlockPos(nbt.getInt("SleepingX"), nbt.getInt("SleepingY"), nbt.getInt("SleepingZ"));
2024-06-14 10:56:28 +02:00
2024-02-01 10:53:15 +01:00
+ if (this.position().distanceToSqr(blockposition.getX(), blockposition.getY(), blockposition.getZ()) < 16 * 16) { // Paper - The sleeping pos will always also set the actual pos, so a desync suggests something is wrong
this.setSleepingPos(blockposition);
this.entityData.set(LivingEntity.DATA_POSE, Pose.SLEEPING);
if (!this.firstTick) {
this.setPosToBed(blockposition);
}
+ } // Paper - The sleeping pos will always also set the actual pos, so a desync suggests something is wrong
}
if (nbt.contains("Brain", 10)) {
diff --git a/src/main/java/net/minecraft/world/entity/Mob.java b/src/main/java/net/minecraft/world/entity/Mob.java
2024-08-31 20:29:50 +02:00
index cf1f6a0081f0dbcf43842ec23accf6c3ae9b79d8..58ff5b4df2124901df757315e42b2490a7da7415 100644
--- a/src/main/java/net/minecraft/world/entity/Mob.java
+++ b/src/main/java/net/minecraft/world/entity/Mob.java
2024-07-18 16:50:16 +02:00
@@ -603,7 +603,7 @@ public abstract class Mob extends LivingEntity implements EquipmentUser, Leashab
2024-06-14 10:56:28 +02:00
this.leashData = this.readLeashData(nbt);
this.setLeftHanded(nbt.getBoolean("LeftHanded"));
if (nbt.contains("DeathLootTable", 8)) {
2024-06-14 10:56:28 +02:00
- this.lootTable = ResourceKey.create(Registries.LOOT_TABLE, ResourceLocation.parse(nbt.getString("DeathLootTable")));
2024-04-25 01:25:57 +02:00
+ this.lootTable = net.minecraft.Optionull.map(ResourceLocation.tryParse(nbt.getString("DeathLootTable")), rl -> ResourceKey.create(Registries.LOOT_TABLE, rl)); // Paper - Validate ResourceLocation
this.lootTableSeed = nbt.getLong("DeathLootTableSeed");
}
diff --git a/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java b/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java
index 10d30304c8c89b1f2a55be8529035311d1424e44..ddf47dab1ab92c45e3eea09239d418a9798ed59e 100644
--- a/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java
+++ b/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java
@@ -649,7 +649,7 @@ public abstract class AbstractArrow extends Projectile {
this.setCritArrow(nbt.getBoolean("crit"));
this.setPierceLevel(nbt.getByte("PierceLevel"));
if (nbt.contains("SoundEvent", 8)) {
2024-06-14 10:56:28 +02:00
- this.soundEvent = (SoundEvent) BuiltInRegistries.SOUND_EVENT.getOptional(ResourceLocation.parse(nbt.getString("SoundEvent"))).orElse(this.getDefaultHitGroundSoundEvent());
+ this.soundEvent = (SoundEvent) BuiltInRegistries.SOUND_EVENT.getOptional(ResourceLocation.tryParse(nbt.getString("SoundEvent"))).orElse(this.getDefaultHitGroundSoundEvent()); // Paper - Validate resource location
}
2024-06-14 10:56:28 +02:00
if (nbt.contains("item", 10)) {
diff --git a/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java b/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java
2024-06-14 10:56:28 +02:00
index ccc7367ab2740bea0f2b907223a0920b11665092..845eff7401b811c179dc9dee70eca0d724be5c80 100644
--- a/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java
+++ b/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java
@@ -73,7 +73,7 @@ public interface ContainerEntity extends Container, MenuProvider {
2024-04-25 01:25:57 +02:00
default void readChestVehicleSaveData(CompoundTag nbt, HolderLookup.Provider registriesLookup) {
this.clearItemStacks();
if (nbt.contains("LootTable", 8)) {
2024-06-14 10:56:28 +02:00
- this.setLootTable(ResourceKey.create(Registries.LOOT_TABLE, ResourceLocation.parse(nbt.getString("LootTable"))));
2024-04-25 01:25:57 +02:00
+ this.setLootTable(net.minecraft.Optionull.map(ResourceLocation.tryParse(nbt.getString("LootTable")), rl -> ResourceKey.create(Registries.LOOT_TABLE, rl))); // Paper - Validate ResourceLocation
// Paper start - LootTable API
if (this.getLootTable() != null) {
this.lootableData().loadNbt(nbt);
diff --git a/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java b/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java
2024-06-14 14:28:06 +02:00
index 65ab9b22f724877b68f4f25aad2831e2cb080b19..730aca233f6e7564d4cb85b5b628d23c4f01d2f4 100644
--- a/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java
+++ b/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java
2024-04-25 01:25:57 +02:00
@@ -295,7 +295,12 @@ public abstract class AbstractFurnaceBlockEntity extends BaseContainerBlockEntit
while (iterator.hasNext()) {
String s = (String) iterator.next();
2024-06-14 10:56:28 +02:00
- this.recipesUsed.put(ResourceLocation.parse(s), nbttagcompound1.getInt(s));
+ // Paper start - Validate ResourceLocation
+ final ResourceLocation resourceLocation = ResourceLocation.tryParse(s);
+ if (resourceLocation != null) {
+ this.recipesUsed.put(resourceLocation, nbttagcompound1.getInt(s));
+ }
+ // Paper end - Validate ResourceLocation
}
// Paper start - cook speed multiplier API
diff --git a/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java b/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java
2024-06-14 10:56:28 +02:00
index 32de29c385c784ab87e29b2e072f3992386cd775..dc02a3d84b397f634f77f4df9c06e245cc4dcb75 100644
--- a/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java
+++ b/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java
2024-04-25 01:25:57 +02:00
@@ -202,7 +202,7 @@ public class BrushableBlockEntity extends BlockEntity {
private boolean tryLoadLootTable(CompoundTag nbt) {
if (nbt.contains("LootTable", 8)) {
2024-06-14 10:56:28 +02:00
- this.lootTable = ResourceKey.create(Registries.LOOT_TABLE, ResourceLocation.parse(nbt.getString("LootTable")));
2024-04-25 01:25:57 +02:00
+ this.lootTable = net.minecraft.Optionull.map(ResourceLocation.tryParse(nbt.getString("LootTable")), rl -> ResourceKey.create(Registries.LOOT_TABLE, rl)); // Paper - Validate ResourceLocation
this.lootTableSeed = nbt.getLong("LootTableSeed");
return true;
} else {