fix(pm): exploit when the player can modify the PluginMessage

Nookure · Dec 27, 2024 · c1d26ae · c1d26ae
1 parent b81f690
commit c1d26ae
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/...taff-Velocity/src/main/java/com/nookure/staff/velocity/messaging/PluginMessageRouter.java b/...taff-Velocity/src/main/java/com/nookure/staff/velocity/messaging/PluginMessageRouter.java
@@ -7,6 +7,7 @@
 import com.velocitypowered.api.event.Subscribe;
 import com.velocitypowered.api.event.connection.PluginMessageEvent;
 import com.velocitypowered.api.proxy.ProxyServer;
+import com.velocitypowered.api.proxy.ServerConnection;
 import com.velocitypowered.api.proxy.messages.MinecraftChannelIdentifier;
 
 public class PluginMessageRouter {
@@ -26,6 +27,13 @@ public void onPluginMessageFromPlayer(PluginMessageEvent event) {
 
     event.setResult(PluginMessageEvent.ForwardResult.handled());
 
+    if (!(event.getSource() instanceof ServerConnection)) {
+      logger.warning("Received plugin message from non-server connection source.");
+      logger.warning("Source: %s", event.getSource());
+      logger.warning("Be aware that this is a potential player trying to attack your server.");
+      return;
+    }
+
     logger.debug("Routing plugin message to all servers.");
 
     messenger.decodeEvent(event.getData());