Critical vulnerability has been closed - exploit has been fixed

This version fixes an extremely critical bug!
Please update to Bungee/Waterfall!

This update fixes a security vulnerability that allowed the Voxel Hack Client to execute any command on the proxy if the T2CodeLib was installed on it (https://github.com/Renovsk/VoxelClient-SRC/blob/main/me/nullnet/voxelclient/exploits/T2CExploit.java). This has been fixed.

This has been fixed and all games that try to use this exploit are now displayed in the console.

Translated with www.DeepL.com/Translator (free version)

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>net.t2code</groupId>
     <artifactId>T2CodeLib</artifactId>
-    <version>16.9</version>
+    <version>17.0</version>
     <!--version>VERSION_snapshot-0</version-->
     <!--version>VERSION_beta-0</version-->
     <!--version>VERSION_dev-0</version-->
@@ -166,7 +166,7 @@
         <dependency>
             <groupId>me.clip</groupId>
             <artifactId>placeholderapi</artifactId>
-            <version>2.11.3</version>
+            <version>2.11.6</version>
             <scope>provided</scope>
         </dependency>
 
@@ -174,7 +174,7 @@
         <dependency>
             <groupId>com.bencodez</groupId>
             <artifactId>votingplugin</artifactId>
-            <version>6.12.1</version>
+            <version>6.18.3</version>
             <scope>provided</scope>
         </dependency>
 
@@ -182,7 +182,7 @@
         <dependency>
             <groupId>net.kyori</groupId>
             <artifactId>adventure-text-minimessage</artifactId>
-            <version>4.18.0-SNAPSHOT</version>
+            <version>4.19.0</version>
             <scope>compile</scope>
         </dependency>
         <dependency>

src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/T2CplmsgBcmd.java

@@ -2,9 +2,11 @@ package net.t2code.t2codelib.BUNGEE.system.pluginMessaging;
 
 import net.md_5.bungee.api.ProxyServer;
 import net.md_5.bungee.api.connection.ProxiedPlayer;
+import net.md_5.bungee.api.connection.Server;
 import net.md_5.bungee.api.event.PluginMessageEvent;
 import net.md_5.bungee.api.plugin.Listener;
 import net.md_5.bungee.event.EventHandler;
+import net.t2code.t2codelib.BUNGEE.api.messages.T2CBsend;
 import net.t2code.t2codelib.Util;
 import org.junit.Ignore;
 
@@ -16,6 +18,12 @@ public class T2CplmsgBcmd implements Listener {
     @EventHandler
     public void onPluginmessage(PluginMessageEvent event) {
         if (event.getTag().equalsIgnoreCase("t2c:bcmd")) {
+
+            if (!(event.getSender() instanceof Server)) {
+                T2CBsend.console(Util.getPrefix() +" <dark_gray>[<gold>Exploit-protection</gold>]</dark_gray> <red>Blocked unauthorized plugin message from a player ("+ event.getSender().toString() +")!");
+                return;
+            }
+
             event.setCancelled(true);
             DataInputStream stream = new DataInputStream(new ByteArrayInputStream(event.getData()));
             try {

src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/autoResponse/T2CapiAutoResponse.java

@@ -2,10 +2,12 @@ package net.t2code.t2codelib.BUNGEE.system.pluginMessaging.autoResponse;
 
 import net.md_5.bungee.api.ProxyServer;
 import net.md_5.bungee.api.connection.ProxiedPlayer;
+import net.md_5.bungee.api.connection.Server;
 import net.md_5.bungee.api.event.PluginMessageEvent;
 import net.md_5.bungee.api.plugin.Listener;
 import net.md_5.bungee.event.EventHandler;
 import net.t2code.t2codelib.BUNGEE.api.messages.T2CBsend;
+import net.t2code.t2codelib.Util;
 
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
@@ -16,6 +18,12 @@ public class T2CapiAutoResponse implements Listener {
     @EventHandler
     public void onPluginmessage(PluginMessageEvent event) {
         if (event.getTag().equalsIgnoreCase("t2c:aresp")) {
+
+            if (!(event.getSender() instanceof Server)) {
+                T2CBsend.console(Util.getPrefix() +" <dark_gray>[<gold>Exploit-protection</gold>]</dark_gray> <red>Blocked unauthorized plugin message from a player ("+ event.getSender().toString() +")!");
+                return;
+            }
+
             DataInputStream stream = new DataInputStream(new ByteArrayInputStream(event.getData()));
             event.setCancelled(true);
             try {

src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/opSecurity/T2CapiOpSecurity.java

@@ -1,9 +1,12 @@
 package net.t2code.t2codelib.BUNGEE.system.pluginMessaging.opSecurity;
 
 import net.md_5.bungee.api.ProxyServer;
+import net.md_5.bungee.api.connection.Server;
 import net.md_5.bungee.api.event.PluginMessageEvent;
 import net.md_5.bungee.api.plugin.Listener;
 import net.md_5.bungee.event.EventHandler;
+import net.t2code.t2codelib.BUNGEE.api.messages.T2CBsend;
+import net.t2code.t2codelib.Util;
 
 import java.io.*;
 import java.util.logging.Logger;
@@ -13,6 +16,12 @@ public class T2CapiOpSecurity implements Listener {
     @EventHandler
     public void onPluginmessage(PluginMessageEvent event) {
         if (event.getTag().equalsIgnoreCase("t2c:opsec")) {
+
+            if (!(event.getSender() instanceof Server)) {
+                T2CBsend.console(Util.getPrefix() +" <dark_gray>[<gold>Exploit-protection</gold>]</dark_gray> <red>Blocked unauthorized plugin message from a player ("+ event.getSender().toString() +")!");
+                return;
+            }
+
             event.setCancelled(true);
             DataInputStream stream = new DataInputStream(new ByteArrayInputStream(event.getData()));
             try {