2024-01-04 13:52:38 +01:00
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nassim Jahnke <nassim@njahnke.dev>
Date: Thu, 4 Jan 2024 13:49:14 +0100
Subject: [PATCH] Validate ResourceLocation in NBT reading
diff --git a/src/main/java/net/minecraft/nbt/NbtUtils.java b/src/main/java/net/minecraft/nbt/NbtUtils.java
2024-01-21 19:37:09 +01:00
index ba0726157417cdde1c9bca93a9e37e68d9b2286d..e3a3f19a6e63fd42e29c418e5a7439972484d492 100644
2024-01-04 13:52:38 +01:00
--- a/src/main/java/net/minecraft/nbt/NbtUtils.java
+++ b/src/main/java/net/minecraft/nbt/NbtUtils.java
@@ -230,8 +230,10 @@ public final class NbtUtils {
if (!nbt.contains("Name", 8)) {
return Blocks.AIR.defaultBlockState();
} else {
- ResourceLocation resourceLocation = new ResourceLocation(nbt.getString("Name"));
- Optional<? extends Holder<Block>> optional = blockLookup.get(ResourceKey.create(Registries.BLOCK, resourceLocation));
+ // Paper start - Validate resource location
+ ResourceLocation resourceLocation = ResourceLocation.tryParse(nbt.getString("Name"));
+ Optional<? extends Holder<Block>> optional = resourceLocation != null ? blockLookup.get(ResourceKey.create(Registries.BLOCK, resourceLocation)) : Optional.empty();
2024-01-13 16:35:59 +01:00
+ // Paper end - Validate resource location
2024-01-04 13:52:38 +01:00
if (optional.isEmpty()) {
return Blocks.AIR.defaultBlockState();
} else {
2024-01-12 19:33:17 +01:00
diff --git a/src/main/java/net/minecraft/resources/ResourceLocation.java b/src/main/java/net/minecraft/resources/ResourceLocation.java
2024-01-19 12:30:04 +01:00
index 5f9dcab27a07969c93555ad0892683c62cbebc8c..a4d875df936b6de16f0233482b03af05b427a79f 100644
2024-01-12 19:33:17 +01:00
--- a/src/main/java/net/minecraft/resources/ResourceLocation.java
+++ b/src/main/java/net/minecraft/resources/ResourceLocation.java
2024-01-12 23:08:19 +01:00
@@ -31,6 +31,13 @@ public class ResourceLocation implements Comparable<ResourceLocation> {
2024-01-12 19:33:17 +01:00
private final String path;
protected ResourceLocation(String namespace, String path, @Nullable ResourceLocation.Dummy extraData) {
2024-01-12 23:08:19 +01:00
+ // Paper start - Validate ResourceLocation
+ // Check for the max network string length (capped at Short.MAX_VALUE) as well as the max bytes of a StringTag (length written as an unsigned short)
+ final String resourceLocation = namespace + ":" + path;
+ if (resourceLocation.length() > Short.MAX_VALUE || io.netty.buffer.ByteBufUtil.utf8MaxBytes(resourceLocation) > 2 * Short.MAX_VALUE + 1) {
+ throw new ResourceLocationException("Resource location too long: " + resourceLocation);
+ }
+ // Paper end - Validate ResourceLocation
2024-01-12 19:33:17 +01:00
this.namespace = namespace;
this.path = path;
}
2024-01-06 09:51:49 +01:00
diff --git a/src/main/java/net/minecraft/world/entity/EntityType.java b/src/main/java/net/minecraft/world/entity/EntityType.java
2024-02-01 10:15:57 +01:00
index 8ba573bb4099ee5b27b61f333e72d794c48d5f29..69bdf3f2ee731e59e8d454816a9ca72cb49c0fe0 100644
2024-01-06 09:51:49 +01:00
--- a/src/main/java/net/minecraft/world/entity/EntityType.java
+++ b/src/main/java/net/minecraft/world/entity/EntityType.java
2024-02-01 10:15:57 +01:00
@@ -614,7 +614,7 @@ public class EntityType<T extends Entity> implements FeatureElement, EntityTypeT
2024-01-06 09:51:49 +01:00
}
public static Optional<EntityType<?>> by(CompoundTag nbt) {
- return BuiltInRegistries.ENTITY_TYPE.getOptional(new ResourceLocation(nbt.getString("id")));
+ return BuiltInRegistries.ENTITY_TYPE.getOptional(ResourceLocation.tryParse(nbt.getString("id"))); // Paper - Validate ResourceLocation
}
@Nullable
2024-02-01 10:53:15 +01:00
diff --git a/src/main/java/net/minecraft/world/entity/LivingEntity.java b/src/main/java/net/minecraft/world/entity/LivingEntity.java
2024-02-18 12:53:27 +01:00
index 6502dfa62fb0e5a0e3369c62c6ad97aecced4d2b..484056cf77334818aab98ad20e99685d1e240adc 100644
2024-02-01 10:53:15 +01:00
--- a/src/main/java/net/minecraft/world/entity/LivingEntity.java
+++ b/src/main/java/net/minecraft/world/entity/LivingEntity.java
Updated Upstream (Bukkit/CraftBukkit) (#10242)
* Updated Upstream (Bukkit/CraftBukkit)
Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing
Bukkit Changes:
a6a9d2a4 Remove some old ApiStatus.Experimental annotations
be72314c SPIGOT-7300, PR-829: Add new DamageSource API providing enhanced information about entity damage
b252cf05 SPIGOT-7576, PR-970: Add methods in MushroomCow to change stew effects
b1c689bd PR-902: Add Server#isLoggingIPs to get log-ips configuration
08f86d1c PR-971: Add Player methods for client-side potion effects
2e3024a9 PR-963: Add API for in-world structures
a23292a7 SPIGOT-7530, PR-948: Improve Resource Pack API with new 1.20.3 functionality
1851857b SPIGOT-3071, PR-969: Add entity spawn method with spawn reason
cde4c52a SPIGOT-5553, PR-964: Add EntityKnockbackEvent
CraftBukkit Changes:
38fd4bd50 Fix accidentally renamed internal damage method
80f0ce4be SPIGOT-7300, PR-1180: Add new DamageSource API providing enhanced information about entity damage
7e43f3b16 SPIGOT-7581: Fix typo in BlockMushroom
ea14b7d90 SPIGOT-7576, PR-1347: Add methods in MushroomCow to change stew effects
4c687f243 PR-1259: Add Server#isLoggingIPs to get log-ips configuration
22a541a29 Improve support for per-world game rules
cb7dccce2 PR-1348: Add Player methods for client-side potion effects
b8d6109f0 PR-1335: Add API for in-world structures
4398a1b5b SPIGOT-7577: Make CraftWindCharge#explode discard the entity
e74107678 Fix Crafter maximum stack size
0bb0f4f6a SPIGOT-7530, PR-1314: Improve Resource Pack API with new 1.20.3 functionality
4949f556d SPIGOT-3071, PR-1345: Add entity spawn method with spawn reason
20ac73ca2 PR-1353: Fix Structure#place not working as documented with 0 palette
3c1b77871 SPIGOT-6911, PR-1349: Change max book length in CraftMetaBook
333701839 SPIGOT-7572: Bee nests generated without bees
f48f4174c SPIGOT-5553, PR-1336: Add EntityKnockbackEvent
2024-02-11 22:28:00 +01:00
@@ -871,12 +871,13 @@ public abstract class LivingEntity extends Entity implements Attackable {
2024-02-01 10:53:15 +01:00
if (nbt.contains("SleepingX", 99) && nbt.contains("SleepingY", 99) && nbt.contains("SleepingZ", 99)) {
BlockPos blockposition = new BlockPos(nbt.getInt("SleepingX"), nbt.getInt("SleepingY"), nbt.getInt("SleepingZ"));
-
+ if (this.position().distanceToSqr(blockposition.getX(), blockposition.getY(), blockposition.getZ()) < 16 * 16) { // Paper - The sleeping pos will always also set the actual pos, so a desync suggests something is wrong
this.setSleepingPos(blockposition);
this.entityData.set(LivingEntity.DATA_POSE, Pose.SLEEPING);
if (!this.firstTick) {
this.setPosToBed(blockposition);
}
+ } // Paper - The sleeping pos will always also set the actual pos, so a desync suggests something is wrong
}
if (nbt.contains("Brain", 10)) {
2024-01-04 13:52:38 +01:00
diff --git a/src/main/java/net/minecraft/world/entity/Mob.java b/src/main/java/net/minecraft/world/entity/Mob.java
Updated Upstream (Bukkit/CraftBukkit) (#10242)
* Updated Upstream (Bukkit/CraftBukkit)
Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing
Bukkit Changes:
a6a9d2a4 Remove some old ApiStatus.Experimental annotations
be72314c SPIGOT-7300, PR-829: Add new DamageSource API providing enhanced information about entity damage
b252cf05 SPIGOT-7576, PR-970: Add methods in MushroomCow to change stew effects
b1c689bd PR-902: Add Server#isLoggingIPs to get log-ips configuration
08f86d1c PR-971: Add Player methods for client-side potion effects
2e3024a9 PR-963: Add API for in-world structures
a23292a7 SPIGOT-7530, PR-948: Improve Resource Pack API with new 1.20.3 functionality
1851857b SPIGOT-3071, PR-969: Add entity spawn method with spawn reason
cde4c52a SPIGOT-5553, PR-964: Add EntityKnockbackEvent
CraftBukkit Changes:
38fd4bd50 Fix accidentally renamed internal damage method
80f0ce4be SPIGOT-7300, PR-1180: Add new DamageSource API providing enhanced information about entity damage
7e43f3b16 SPIGOT-7581: Fix typo in BlockMushroom
ea14b7d90 SPIGOT-7576, PR-1347: Add methods in MushroomCow to change stew effects
4c687f243 PR-1259: Add Server#isLoggingIPs to get log-ips configuration
22a541a29 Improve support for per-world game rules
cb7dccce2 PR-1348: Add Player methods for client-side potion effects
b8d6109f0 PR-1335: Add API for in-world structures
4398a1b5b SPIGOT-7577: Make CraftWindCharge#explode discard the entity
e74107678 Fix Crafter maximum stack size
0bb0f4f6a SPIGOT-7530, PR-1314: Improve Resource Pack API with new 1.20.3 functionality
4949f556d SPIGOT-3071, PR-1345: Add entity spawn method with spawn reason
20ac73ca2 PR-1353: Fix Structure#place not working as documented with 0 palette
3c1b77871 SPIGOT-6911, PR-1349: Change max book length in CraftMetaBook
333701839 SPIGOT-7572: Bee nests generated without bees
f48f4174c SPIGOT-5553, PR-1336: Add EntityKnockbackEvent
2024-02-11 22:28:00 +01:00
index 9ecabac9e95bb0b550260770fcc713ad82070d0b..fd093e5bc79a44e02f57bacd8273dc87342f5709 100644
2024-01-04 13:52:38 +01:00
--- a/src/main/java/net/minecraft/world/entity/Mob.java
+++ b/src/main/java/net/minecraft/world/entity/Mob.java
2024-01-23 15:43:48 +01:00
@@ -607,7 +607,7 @@ public abstract class Mob extends LivingEntity implements Targeting {
2024-01-04 13:52:38 +01:00
this.setLeftHanded(nbt.getBoolean("LeftHanded"));
if (nbt.contains("DeathLootTable", 8)) {
- this.lootTable = new ResourceLocation(nbt.getString("DeathLootTable"));
+ this.lootTable = ResourceLocation.tryParse(nbt.getString("DeathLootTable")); // Paper - Validate ResourceLocation
this.lootTableSeed = nbt.getLong("DeathLootTableSeed");
}
diff --git a/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java b/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java
2024-01-23 15:43:48 +01:00
index 618de60680de015bc68bf95a68eda98db7bab3c5..d14eab0d83d629a4522bf3f7d789d2853eb84f06 100644
2024-01-04 13:52:38 +01:00
--- a/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java
+++ b/src/main/java/net/minecraft/world/entity/projectile/AbstractArrow.java
@@ -560,7 +560,7 @@ public abstract class AbstractArrow extends Projectile {
this.setCritArrow(nbt.getBoolean("crit"));
this.setPierceLevel(nbt.getByte("PierceLevel"));
if (nbt.contains("SoundEvent", 8)) {
- this.soundEvent = (SoundEvent) BuiltInRegistries.SOUND_EVENT.getOptional(new ResourceLocation(nbt.getString("SoundEvent"))).orElse(this.getDefaultHitGroundSoundEvent());
+ this.soundEvent = (SoundEvent) BuiltInRegistries.SOUND_EVENT.getOptional(ResourceLocation.tryParse(nbt.getString("SoundEvent"))).orElse(this.getDefaultHitGroundSoundEvent()); // Paper - Validate resource location
}
this.setShotFromCrossbow(nbt.getBoolean("ShotFromCrossbow"));
diff --git a/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java b/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java
index 7529751afa2932fd16bc4591189b0358268a7b14..e2e1c7a017e82dc7299e5cd1783818e4f0319c0b 100644
--- a/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java
+++ b/src/main/java/net/minecraft/world/entity/vehicle/ContainerEntity.java
@@ -67,7 +67,7 @@ public interface ContainerEntity extends Container, MenuProvider {
default void readChestVehicleSaveData(CompoundTag nbt) {
this.clearItemStacks();
if (nbt.contains("LootTable", 8)) {
- this.setLootTable(new ResourceLocation(nbt.getString("LootTable")));
+ this.setLootTable(ResourceLocation.tryParse(nbt.getString("LootTable"))); // Paper - Validate ResourceLocation
this.setLootTableSeed(nbt.getLong("LootTableSeed"));
}
2024-02-18 12:53:27 +01:00
diff --git a/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java b/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java
index d04fc84eef11adb5ea64077f48794b6ed7fb3ada..89d06253b00604114e543ebbe12a9993ae95dc41 100644
--- a/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java
+++ b/src/main/java/net/minecraft/world/level/block/entity/AbstractFurnaceBlockEntity.java
@@ -290,7 +290,12 @@ public abstract class AbstractFurnaceBlockEntity extends BaseContainerBlockEntit
while (iterator.hasNext()) {
String s = (String) iterator.next();
- this.recipesUsed.put(new ResourceLocation(s), nbttagcompound1.getInt(s));
+ // Paper start - Validate ResourceLocation
+ final ResourceLocation resourceLocation = ResourceLocation.tryParse(s);
+ if (resourceLocation != null) {
+ this.recipesUsed.put(resourceLocation, nbttagcompound1.getInt(s));
+ }
+ // Paper end - Validate ResourceLocation
}
// Paper start - cook speed multiplier API
diff --git a/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java b/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java
index b5b1831631e233a96b6fd55972a8862b0f420da8..3f62e823bf9b5aa696e3c240613a0fb50340875e 100644
--- a/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java
+++ b/src/main/java/net/minecraft/world/level/block/entity/BrushableBlockEntity.java
@@ -199,7 +199,7 @@ public class BrushableBlockEntity extends BlockEntity {
private boolean tryLoadLootTable(CompoundTag nbt) {
if (nbt.contains("LootTable", 8)) {
- this.lootTable = new ResourceLocation(nbt.getString("LootTable"));
+ this.lootTable = ResourceLocation.tryParse(nbt.getString("LootTable")); // Paper - Validate ResourceLocation
this.lootTableSeed = nbt.getLong("LootTableSeed");
return true;
} else {
