Critical vulnerability has been closed - exploit has been fixed

This version fixes an extremely critical bug! Please update to Bungee/Waterfall! This update fixes a security vulnerability that allowed the Voxel Hack Client to execute any command on the proxy if the T2CodeLib was installed on it (https://github.com/Renovsk/VoxelClient-SRC/blob/main/me/nullnet/voxelclient/exploits/T2CExploit.java). This has been fixed. This has been fixed and all games that try to use this exploit are now displayed in the console. Translated with www.DeepL.com/Translator (free version)
fix beta 1
2025-03-31 07:19:25 +02:00 · 2025-03-31 06:29:00 +02:00 · 2024-09-30 18:04:33 +02:00
7 changed files with 53 additions and 7 deletions
--- a/pom.xml
+++ b/pom.xml
@ -6,7 +6,7 @@

    <groupId>net.t2code</groupId>
    <artifactId>T2CodeLib</artifactId>
-    <version>16.6</version>
+    <version>17.0</version>
    <!--version>VERSION_snapshot-0</version-->
    <!--version>VERSION_beta-0</version-->
    <!--version>VERSION_dev-0</version-->
@ -166,7 +166,7 @@
        <dependency>
            <groupId>me.clip</groupId>
            <artifactId>placeholderapi</artifactId>
-            <version>2.11.3</version>
+            <version>2.11.6</version>
            <scope>provided</scope>
        </dependency>

@ -174,7 +174,7 @@
        <dependency>
            <groupId>com.bencodez</groupId>
            <artifactId>votingplugin</artifactId>
-            <version>6.12.1</version>
+            <version>6.18.3</version>
            <scope>provided</scope>
        </dependency>

@ -182,7 +182,7 @@
        <dependency>
            <groupId>net.kyori</groupId>
            <artifactId>adventure-text-minimessage</artifactId>
-            <version>4.18.0-SNAPSHOT</version>
+            <version>4.19.0</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
--- a/src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/T2CplmsgBcmd.java
+++ b/src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/T2CplmsgBcmd.java
@ -2,9 +2,11 @@ package net.t2code.t2codelib.BUNGEE.system.pluginMessaging;

 import net.md_5.bungee.api.ProxyServer;
 import net.md_5.bungee.api.connection.ProxiedPlayer;
+import net.md_5.bungee.api.connection.Server;
 import net.md_5.bungee.api.event.PluginMessageEvent;
 import net.md_5.bungee.api.plugin.Listener;
 import net.md_5.bungee.event.EventHandler;
+import net.t2code.t2codelib.BUNGEE.api.messages.T2CBsend;
 import net.t2code.t2codelib.Util;
 import org.junit.Ignore;

@ -16,6 +18,12 @@ public class T2CplmsgBcmd implements Listener {
    @EventHandler
    public void onPluginmessage(PluginMessageEvent event) {
        if (event.getTag().equalsIgnoreCase("t2c:bcmd")) {
+
+            if (!(event.getSender() instanceof Server)) {
+                T2CBsend.console(Util.getPrefix() +" <dark_gray>[<gold>Exploit-protection</gold>]</dark_gray> <red>Blocked unauthorized plugin message from a player ("+ event.getSender().toString() +")!");
+                return;
+            }
+
            event.setCancelled(true);
            DataInputStream stream = new DataInputStream(new ByteArrayInputStream(event.getData()));
            try {
--- a/src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/autoResponse/T2CapiAutoResponse.java
+++ b/src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/autoResponse/T2CapiAutoResponse.java
@ -2,10 +2,12 @@ package net.t2code.t2codelib.BUNGEE.system.pluginMessaging.autoResponse;

 import net.md_5.bungee.api.ProxyServer;
 import net.md_5.bungee.api.connection.ProxiedPlayer;
+import net.md_5.bungee.api.connection.Server;
 import net.md_5.bungee.api.event.PluginMessageEvent;
 import net.md_5.bungee.api.plugin.Listener;
 import net.md_5.bungee.event.EventHandler;
 import net.t2code.t2codelib.BUNGEE.api.messages.T2CBsend;
+import net.t2code.t2codelib.Util;

 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
@ -16,6 +18,12 @@ public class T2CapiAutoResponse implements Listener {
    @EventHandler
    public void onPluginmessage(PluginMessageEvent event) {
        if (event.getTag().equalsIgnoreCase("t2c:aresp")) {
+
+            if (!(event.getSender() instanceof Server)) {
+                T2CBsend.console(Util.getPrefix() +" <dark_gray>[<gold>Exploit-protection</gold>]</dark_gray> <red>Blocked unauthorized plugin message from a player ("+ event.getSender().toString() +")!");
+                return;
+            }
+
            DataInputStream stream = new DataInputStream(new ByteArrayInputStream(event.getData()));
            event.setCancelled(true);
            try {
--- a/src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/opSecurity/T2CapiOpSecurity.java
+++ b/src/main/java/net/t2code/t2codelib/BUNGEE/system/pluginMessaging/opSecurity/T2CapiOpSecurity.java
@ -1,9 +1,12 @@
 package net.t2code.t2codelib.BUNGEE.system.pluginMessaging.opSecurity;

 import net.md_5.bungee.api.ProxyServer;
+import net.md_5.bungee.api.connection.Server;
 import net.md_5.bungee.api.event.PluginMessageEvent;
 import net.md_5.bungee.api.plugin.Listener;
 import net.md_5.bungee.event.EventHandler;
+import net.t2code.t2codelib.BUNGEE.api.messages.T2CBsend;
+import net.t2code.t2codelib.Util;

 import java.io.*;
 import java.util.logging.Logger;
@ -13,6 +16,12 @@ public class T2CapiOpSecurity implements Listener {
    @EventHandler
    public void onPluginmessage(PluginMessageEvent event) {
        if (event.getTag().equalsIgnoreCase("t2c:opsec")) {
+
+            if (!(event.getSender() instanceof Server)) {
+                T2CBsend.console(Util.getPrefix() +" <dark_gray>[<gold>Exploit-protection</gold>]</dark_gray> <red>Blocked unauthorized plugin message from a player ("+ event.getSender().toString() +")!");
+                return;
+            }
+
            event.setCancelled(true);
            DataInputStream stream = new DataInputStream(new ByteArrayInputStream(event.getData()));
            try {
--- a/src/main/java/net/t2code/t2codelib/SPIGOT/api/minecraftVersion/T2CmcVersion.java
+++ b/src/main/java/net/t2code/t2codelib/SPIGOT/api/minecraftVersion/T2CmcVersion.java
@ -31,6 +31,7 @@ public class T2CmcVersion {
        mc1_19 = mcVersion.contains("MC: 1.19");
        mc1_20 = mcVersion.contains("MC: 1.20");
        mc1_21 = mcVersion.contains("MC: 1.21");
+        mc1_22 = mcVersion.contains("MC: 1.22");

        nms1_8_R1 = nms.contains("1_8_R1");
        nms1_8_R2 = nms.contains("1_8_R2");
@ -57,6 +58,8 @@ public class T2CmcVersion {
        nms1_20_R3 = nms.contains("1_20_R3");
        nms1_20_R4 = nms.contains("1_20_R4");
        nms1_21_R1 = nms.contains("1_21_R1");
+        nms1_21_R2 = nms.contains("1_21_R2");
+        nms1_22_R1 = nms.contains("1_22_R1");
    }

    private static String mcVersion;
@ -75,6 +78,7 @@ public class T2CmcVersion {
    private static boolean mc1_19;
    private static boolean mc1_20;
    private static boolean mc1_21;
+    private static boolean mc1_22;

    private static String nms;
    private static boolean nms1_8_R1;
@ -102,6 +106,8 @@ public class T2CmcVersion {
    private static boolean nms1_20_R3;
    private static boolean nms1_20_R4;
    private static boolean nms1_21_R1;
+    private static boolean nms1_21_R2;
+    private static boolean nms1_22_R1;

    public static String getMcVersion() {
        return mcVersion;
@ -166,6 +172,11 @@ public class T2CmcVersion {
    public static boolean isMc1_21() {
        return mc1_21;
    }
+    public static boolean isMc1_22() {
+        return mc1_22;
+    }
+
+

    public static String getNms() {
        return nms;
@ -270,6 +281,12 @@ public class T2CmcVersion {
    public static boolean isNms1_21_R1() {
        return nms1_21_R1;
    }
+    public static boolean isNms1_21_R2() {
+        return nms1_21_R2;
+    }
+    public static boolean isNms1_22_R1() {
+        return nms1_22_R1;
+    }


    public static boolean minMc1_8() {
@ -324,4 +341,8 @@ public class T2CmcVersion {
        return !isMc1_8() && !isMc1_9() && !isMc1_10() && !isMc1_11() && !isMc1_12() && !isMc1_13() && !isMc1_14() && !isMc1_15() && !isMc1_16() && !isMc1_17()
                && !isMc1_18() && !isMc1_19();
    }
+    public static boolean minMc1_21() {
+        return !isMc1_8() && !isMc1_9() && !isMc1_10() && !isMc1_11() && !isMc1_12() && !isMc1_13() && !isMc1_14() && !isMc1_15() && !isMc1_16() && !isMc1_17()
+                && !isMc1_18() && !isMc1_19()&& !isMc1_20();
+    }
 }
--- a/src/main/java/net/t2code/t2codelib/SPIGOT/api/minecraftVersion/T2CnmsVersions.java
+++ b/src/main/java/net/t2code/t2codelib/SPIGOT/api/minecraftVersion/T2CnmsVersions.java
@ -90,7 +90,7 @@ public class T2CnmsVersions {
        } else if (mc.contains("(MC: 1.20.6)")) {
            t2CnmsEnum = T2CnmsEnum.v1_20_R4;
            T2Cdebug.debugmsg(T2CodeLibMain.getPlugin(), String.valueOf(t2CnmsEnum));
-        } else if (mc.contains("(MC: 1.21)")) {
+        } else if (mc.contains("(MC: 1.21)") || mc.contains("(MC: 1.21.1)")) {
            t2CnmsEnum = T2CnmsEnum.v1_21_R1;
            T2Cdebug.debugmsg(T2CodeLibMain.getPlugin(), String.valueOf(t2CnmsEnum));
        } else t2CnmsEnum = T2CnmsEnum.not_support;
--- a/src/main/java/net/t2code/t2codelib/SPIGOT/system/T2CodeLibMain.java
+++ b/src/main/java/net/t2code/t2codelib/SPIGOT/system/T2CodeLibMain.java
@ -79,10 +79,10 @@ public final class T2CodeLibMain extends JavaPlugin {
                }
            }
        }
-        if (T2CmcVersion.isMc1_21()) {
+        if (T2CmcVersion.isMc1_22()) {
            T2Csend.console(prefix + " §4!!!!!!!!!!!!!!!!!!!!");
            T2Csend.console(prefix);
-            T2Csend.warning(plugin, "The 1.21 is a very fresh / new version. If there are any bugs in our plugins, please report them to us via our Discord: http://dc.t2code.net");
+            T2Csend.warning(plugin, "The 1.22 is a very fresh / new version. If there are any bugs in our plugins, please report them to us via our Discord: http://dc.t2code.net");
            T2Csend.console(prefix);
            T2Csend.console(prefix + " §4!!!!!!!!!!!!!!!!!!!!");
            if (!SelectLibConfig.getT2cTestDevelopment()) {