Prevent malicious join address packet from breaking session serialization

2025-02-03 14:01:47 +01:00 · 2023-01-15 09:01:28 +02:00 · 2023-01-15 09:01:28 +02:00 · b0a1bc1fb1
commit b0a1bc1fb1
parent 38785a9505
1 changed files with 4 additions and 2 deletions
--- a/Plan/common/src/main/java/com/djrapitops/plan/gathering/domain/FinishedSession.java
+++ b/Plan/common/src/main/java/com/djrapitops/plan/gathering/domain/FinishedSession.java
@ -196,8 +196,10 @@ public class FinishedSession implements DateHolder {
                getExtraData(PlayerKills.class).orElseGet(PlayerKills::new).toJson() + ';' +
                getExtraData(MobKillCounter.class).orElseGet(MobKillCounter::new).toJson() + ';' +
                getExtraData(DeathCounter.class).orElseGet(DeathCounter::new).toJson() + ';' +
-                // Join address contains @Untrusted data
-                getExtraData(JoinAddress.class).map(JoinAddress::getAddress).orElse(JoinAddressTable.DEFAULT_VALUE_FOR_LOOKUP) + ';' +
+                // Join address contains @Untrusted data so possible ; needs to be neutralized
+                getExtraData(JoinAddress.class).map(JoinAddress::getAddress)
+                        .map(address -> address.replace(';', ':'))
+                        .orElse(JoinAddressTable.DEFAULT_VALUE_FOR_LOOKUP) + ';' +
                getExtraData(PlayerName.class).map(PlayerName::get).orElseGet(playerUUID::toString);
    }