Add additional JNDI protections

Author: dualspiral

src/main/java/org/spongepowered/common/mixin/exploit/EntityDataManagerMixin_JNDIChatMessageBlock.java

@@ -0,0 +1,55 @@
+/*
+ * This file is part of Sponge, licensed under the MIT License (MIT).
+ *
+ * Copyright (c) SpongePowered <https://www.spongepowered.org>
+ * Copyright (c) contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.spongepowered.common.mixin.exploit;
+
+import net.minecraft.network.datasync.DataParameter;
+import net.minecraft.network.datasync.EntityDataManager;
+import org.spongepowered.asm.mixin.Mixin;
+import org.spongepowered.asm.mixin.injection.At;
+import org.spongepowered.asm.mixin.injection.Inject;
+import org.spongepowered.asm.mixin.injection.callback.CallbackInfo;
+import org.spongepowered.common.text.chat.ChatUtil;
+
+@Mixin(EntityDataManager.class)
+public abstract class EntityDataManagerMixin_JNDIChatMessageBlock {
+
+    @Inject(method = "setEntry", at = @At("HEAD"), cancellable = true)
+    private void exploit$blockJNDIEntryIntoDataManagerViaSetEntry(final DataParameter<?> key, final Object value, CallbackInfo ci) {
+        this.exploit$blockAttemptedJDNIExploit(value, ci);
+    }
+
+    @Inject(method = "set", at = @At("HEAD"), cancellable = true)
+    private void exploit$blockJNDIEntryIntoDataManagerViaSet(final DataParameter<?> key, final Object value, CallbackInfo ci) {
+        this.exploit$blockAttemptedJDNIExploit(value, ci);
+    }
+
+    private void exploit$blockAttemptedJDNIExploit(final Object value, final CallbackInfo ci) {
+        if (ChatUtil.isExploitable(value)) {
+            // block the message because we know it could cause problems.
+            // this just tells the client the message could not be sent.
+            ci.cancel();
+        }
+    }
+}

src/main/java/org/spongepowered/common/mixin/exploit/EntityDataManager_DataEntryMixin_JNDIChatMessageBlock.java

@@ -0,0 +1,47 @@
+/*
+ * This file is part of Sponge, licensed under the MIT License (MIT).
+ *
+ * Copyright (c) SpongePowered <https://www.spongepowered.org>
+ * Copyright (c) contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.spongepowered.common.mixin.exploit;
+
+import net.minecraft.network.datasync.DataParameter;
+import net.minecraft.network.datasync.EntityDataManager;
+import org.spongepowered.asm.mixin.Mixin;
+import org.spongepowered.asm.mixin.injection.At;
+import org.spongepowered.asm.mixin.injection.Inject;
+import org.spongepowered.asm.mixin.injection.callback.CallbackInfo;
+import org.spongepowered.common.text.chat.ChatUtil;
+
+@Mixin(EntityDataManager.DataEntry.class)
+public abstract class EntityDataManager_DataEntryMixin_JNDIChatMessageBlock {
+
+
+    @Inject(method = "setValue", at = @At("HEAD"), cancellable = true)
+    private void exploit$blockJNDIEntryIntoDataManagerViaSet(final Object valueIn, final CallbackInfo ci) {
+        if (ChatUtil.isExploitable(valueIn)) {
+            // block the message because we know it could cause problems.
+            // this just tells the client the message could not be sent.
+            ci.cancel();
+        }
+    }
+}

src/main/java/org/spongepowered/common/mixin/exploit/ItemStackMixin_JNDIChatMessageBlock.java

@@ -0,0 +1,61 @@
+/*
+ * This file is part of Sponge, licensed under the MIT License (MIT).
+ *
+ * Copyright (c) SpongePowered <https://www.spongepowered.org>
+ * Copyright (c) contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.spongepowered.common.mixin.exploit;
+
+import net.minecraft.item.ItemStack;
+import net.minecraft.nbt.NBTTagCompound;
+import org.spongepowered.asm.mixin.Mixin;
+import org.spongepowered.asm.mixin.injection.At;
+import org.spongepowered.asm.mixin.injection.Inject;
+import org.spongepowered.asm.mixin.injection.Redirect;
+import org.spongepowered.asm.mixin.injection.callback.CallbackInfoReturnable;
+import org.spongepowered.common.text.chat.ChatUtil;
+
+@Mixin(ItemStack.class)
+public abstract class ItemStackMixin_JNDIChatMessageBlock {
+
+    @Redirect(method = "getDisplayName", at = @At(value = "INVOKE", target = "Lnet/minecraft/nbt/NBTTagCompound;hasKey(Ljava/lang/String;I)Z"))
+    private boolean exploit$ignoreExploitableItemNames(final NBTTagCompound instance, final String key, final int type) {
+        return instance.hasKey(key, type) && type == 8 && !ChatUtil.isExploitable(instance.getString(key));
+    }
+
+    @Inject(method = "setStackDisplayName", at = @At("HEAD"), cancellable = true)
+    private void exploit$ignoreExploitableItemNamesOnSetName(
+            final String displayName, final CallbackInfoReturnable<ItemStack> cir) {
+        if (ChatUtil.isExploitable(displayName)) {
+            cir.setReturnValue((ItemStack) (Object) this);
+        }
+    }
+
+    @Inject(method = "setTranslatableName", at = @At("HEAD"), cancellable = true)
+    private void exploit$ignoreExploitableItemNamesOnSetTranslatableName(
+            final String translatableName, final CallbackInfoReturnable<ItemStack> cir) {
+        // just in case
+        if (ChatUtil.isExploitable(translatableName)) {
+            cir.setReturnValue((ItemStack) (Object) this);
+        }
+    }
+
+}

src/main/java/org/spongepowered/common/text/chat/ChatUtil.java

@@ -24,7 +24,6 @@
  */
 package org.spongepowered.common.text.chat;
 
-import net.minecraft.network.play.server.SPacketChat;
 import net.minecraft.util.text.ITextComponent;
 import net.minecraft.util.text.TextComponentTranslation;
 import net.minecraft.util.text.TextFormatting;
@@ -52,6 +51,19 @@ private ChatUtil() {
 
     public static final String JNDI_EXPLOIT_FRAGMENT = "${jndi";
 
+    public static boolean isExploitable(final Object message) {
+        if (message instanceof String) {
+            return ChatUtil.isExploitable((String) message);
+        } else if (message instanceof ITextComponent) {
+            return ChatUtil.isExploitable((ITextComponent) message);
+        }
+        return false;
+    }
+
+    public static boolean isExploitable(final ITextComponent message) {
+        return ChatUtil.isExploitable(message.getUnformattedText());
+    }
+
     public static boolean isExploitable(final String message) {
         return message.toLowerCase(Locale.ROOT).contains(ChatUtil.JNDI_EXPLOIT_FRAGMENT);
     }

src/main/resources/mixins.common.exploit.json

@@ -7,6 +7,9 @@
   "compatibilityLevel": "JAVA_8",
   "mixins": [
     "AnvilChunkLoaderMixin_FilterInvalidEntities",
+    "EntityDataManager_DataEntryMixin_JNDIChatMessageBlock",
+    "EntityDataManagerMixin_JNDIChatMessageBlock",
+    "ItemStackMixin_JNDIChatMessageBlock",
     "MinecraftServerMixin_JNDIChatMessageBlock",
     "NetHandlerPlayServerMixin_JNDIChatMessageBlock",
     "NetHandlerPlayServerMixin_SlotAndSizeFix",