Skip to content

Commit

Permalink
Several command permission fixes
Browse files Browse the repository at this point in the history
 - Attach permission checks to the first argument (so the literal
   command name) rather than the last argument. This fixes commands
   showing up when they shouldn't.

 - HelpingArgumentBuilder now inherits permissions of its leaf nodes.
   This only really impacts the "track" subcommand.

 - Don't autocomplete the computer selector for the "queue" subcommand.
   As everyone has permission for this command, it's possible to find
   all computer ids and labels in the world.

   I'm in mixed minds about this, but don't think this is an exploit -
   computer ids/labels are sent to in-range players so shouldn't be
   considered secret - but worth patching none-the-less.
  • Loading branch information
SquidDev committed Jul 6, 2023
1 parent f629831 commit 7436447
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,13 @@

import com.mojang.brigadier.CommandDispatcher;
import com.mojang.brigadier.arguments.StringArgumentType;
import com.mojang.brigadier.builder.RequiredArgumentBuilder;
import com.mojang.brigadier.exceptions.CommandSyntaxException;
import com.mojang.brigadier.suggestion.Suggestions;
import dan200.computercraft.api.peripheral.IPeripheral;
import dan200.computercraft.core.computer.ComputerSide;
import dan200.computercraft.core.metrics.Metrics;
import dan200.computercraft.shared.command.arguments.ComputersArgumentType;
import dan200.computercraft.shared.command.text.TableBuilder;
import dan200.computercraft.shared.computer.core.ComputerFamily;
import dan200.computercraft.shared.computer.core.ServerComputer;
Expand Down Expand Up @@ -201,7 +204,10 @@ else if( b.getWorld() == world )

.then( command( "queue" )
.requires( UserLevel.ANYONE )
.arg( "computer", manyComputers() )
.arg(
RequiredArgumentBuilder.<CommandSource, ComputersArgumentType.ComputersSupplier>argument( "computer", manyComputers() )
.suggests( ( context, builder ) -> Suggestions.empty() )
)
.argManyValue( "args", StringArgumentType.string(), Collections.emptyList() )
.executes( ( ctx, args ) -> {
Collection<ServerComputer> computers = getComputersArgument( ctx, "computer" );
Expand Down
26 changes: 25 additions & 1 deletion src/main/java/dan200/computercraft/shared/command/UserLevel.java
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,36 @@ public boolean test( CommandSource source )
return source.hasPermission( toLevel() );
}

/**
* Take the union of two {@link UserLevel}s.
* <p>
* This satisfies the property that for all sources {@code s}, {@code a.test(s) || b.test(s) == (a ∪ b).test(s)}.
*
* @param left The first user level to take the union of.
* @param right The second user level to take the union of.
* @return The union of two levels.
*/
public static UserLevel union( UserLevel left, UserLevel right )
{
if( left == right ) return left;

// x ∪ ANYONE = ANYONE
if( left == ANYONE || right == ANYONE ) return ANYONE;

// x ∪ OWNER = OWNER
if( left == OWNER ) return right;
if( right == OWNER ) return left;

// At this point, we have x != y and x, y ∈ { OP, OWNER_OP }.
return OWNER_OP;
}

private static boolean isOwner( CommandSource source )
{
MinecraftServer server = source.getServer();
Entity sender = source.getEntity();
return server.isDedicatedServer()
? source.getEntity() == null && source.hasPermission( 4 ) && source.getTextName().equals( "Server" )
: sender instanceof PlayerEntity && ((PlayerEntity) sender).getGameProfile().getName().equalsIgnoreCase( server.getServerModName() );
: sender instanceof PlayerEntity && server.isSingleplayerOwner( ((PlayerEntity) sender).getGameProfile() );
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,17 @@ public CommandBuilder<S> requires( Predicate<S> predicate )
return this;
}

public CommandBuilder<S> arg( String name, ArgumentType<?> type )
public CommandBuilder<S> arg( ArgumentBuilder<S, ?> arg )
{
args.add( RequiredArgumentBuilder.argument( name, type ) );
args.add( arg );
return this;
}

public CommandBuilder<S> arg( String name, ArgumentType<?> type )
{
return arg( RequiredArgumentBuilder.argument( name, type ) );
}

public <T> CommandNodeBuilder<S, ArgCommand<S, List<T>>> argManyValue( String name, ArgumentType<T> type, List<T> empty )
{
return argMany( name, type, () -> empty );
Expand All @@ -84,7 +89,7 @@ private <T, U> CommandNodeBuilder<S, ArgCommand<S, List<T>>> argMany( String nam

return command -> {
// The node for no arguments
ArgumentBuilder<S, ?> tail = tail( ctx -> command.run( ctx, empty.get() ) );
ArgumentBuilder<S, ?> tail = setupTail( ctx -> command.run( ctx, empty.get() ) );

// The node for one or more arguments
ArgumentBuilder<S, ?> moreArg = RequiredArgumentBuilder
Expand All @@ -93,7 +98,7 @@ private <T, U> CommandNodeBuilder<S, ArgCommand<S, List<T>>> argMany( String nam

// Chain all of them together!
tail.then( moreArg );
return link( tail );
return buildTail( tail );
};
}

Expand All @@ -106,22 +111,18 @@ private static <T> List<T> getList( CommandContext<?> context, String name )
@Override
public CommandNode<S> executes( Command<S> command )
{
if( args.isEmpty() ) throw new IllegalStateException( "Cannot have empty arg chain builder" );

return link( tail( command ) );
return buildTail( setupTail( command ) );
}

private ArgumentBuilder<S, ?> tail( Command<S> command )
private ArgumentBuilder<S, ?> setupTail( Command<S> command )
{
ArgumentBuilder<S, ?> defaultTail = args.get( args.size() - 1 );
defaultTail.executes( command );
if( requires != null ) defaultTail.requires( requires );
return defaultTail;
return args.get( args.size() - 1 ).executes( command );
}

private CommandNode<S> link( ArgumentBuilder<S, ?> tail )
private CommandNode<S> buildTail( ArgumentBuilder<S, ?> tail )
{
for( int i = args.size() - 2; i >= 0; i-- ) tail = args.get( i ).then( tail );
if( requires != null ) tail.requires( requires );
return tail.build();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import com.mojang.brigadier.context.CommandContext;
import com.mojang.brigadier.tree.CommandNode;
import com.mojang.brigadier.tree.LiteralCommandNode;
import dan200.computercraft.shared.command.UserLevel;
import net.minecraft.command.CommandSource;
import net.minecraft.util.text.IFormattableTextComponent;
import net.minecraft.util.text.ITextComponent;
Expand All @@ -22,6 +23,10 @@
import javax.annotation.Nonnull;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;

import static dan200.computercraft.shared.command.text.ChatHelpers.coloured;
import static dan200.computercraft.shared.command.text.ChatHelpers.translate;
Expand All @@ -44,6 +49,33 @@ public static HelpingArgumentBuilder choice( String literal )
return new HelpingArgumentBuilder( literal );
}


@Override
public LiteralArgumentBuilder<CommandSource> requires( Predicate<CommandSource> requirement )
{
throw new IllegalStateException( "Cannot use requires on a HelpingArgumentBuilder" );
}

@Override
public Predicate<CommandSource> getRequirement()
{
// The requirement of this node is the union of all child's requirements.
List<Predicate<CommandSource>> requirements = Stream.concat(
children.stream().map( ArgumentBuilder::getRequirement ),
getArguments().stream().map( CommandNode::getRequirement )
).collect( Collectors.toList() );

// If all requirements are a UserLevel, take the union of those instead.
UserLevel userLevel = UserLevel.OWNER;
for( Predicate<CommandSource> requirement : requirements )
{
if( !(requirement instanceof UserLevel) ) return x -> requirements.stream().anyMatch( y -> y.test( x ) );
userLevel = UserLevel.union( userLevel, (UserLevel) requirement );
}

return userLevel;
}

@Override
public LiteralArgumentBuilder<CommandSource> executes( final Command<CommandSource> command )
{
Expand Down Expand Up @@ -99,9 +131,7 @@ private LiteralCommandNode<CommandSource> buildImpl( String id, String command )
helpCommand.node = node;

// Set up a /... help command
LiteralArgumentBuilder<CommandSource> helpNode = LiteralArgumentBuilder.<CommandSource>literal( "help" )
.requires( x -> getArguments().stream().anyMatch( y -> y.getRequirement().test( x ) ) )
.executes( helpCommand );
LiteralArgumentBuilder<CommandSource> helpNode = LiteralArgumentBuilder.<CommandSource>literal( "help" ).executes( helpCommand );

// Add all normal command children to this and the help node
for( CommandNode<CommandSource> child : getArguments() )
Expand Down

0 comments on commit 7436447

Please sign in to comment.