From 263ea7458c8b5e252eb1f51d896fd13d661320b4 Mon Sep 17 00:00:00 2001 From: ChomeNS <95471003+ChomeNS@users.noreply.github.com> Date: Sun, 25 May 2025 09:21:54 +0700 Subject: [PATCH] fix: stack overflow kick exploit by section sign + characters that aren't in the codes like `v` --- build-number.txt | 2 +- .../me/chayapak1/chomens_bot/util/ComponentUtilities.java | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/build-number.txt b/build-number.txt index 71f48c0f..24d6b312 100644 --- a/build-number.txt +++ b/build-number.txt @@ -1 +1 @@ -3303 \ No newline at end of file +3311 \ No newline at end of file diff --git a/src/main/java/me/chayapak1/chomens_bot/util/ComponentUtilities.java b/src/main/java/me/chayapak1/chomens_bot/util/ComponentUtilities.java index 7da8f4e1..abf19a10 100644 --- a/src/main/java/me/chayapak1/chomens_bot/util/ComponentUtilities.java +++ b/src/main/java/me/chayapak1/chomens_bot/util/ComponentUtilities.java @@ -101,13 +101,13 @@ public class ComponentUtilities { private static String guardedStringify (final ComponentEncoder serializer, final Component message) { try { return serializer.serialize(message); - } catch (final Exception e) { + } catch (final Throwable throwable) { return guardedStringify( serializer, Component.translatable( "", NamedTextColor.RED, - Component.text(e.toString()) + Component.text(throwable.toString()) ) ); } finally { @@ -169,7 +169,9 @@ public class ComponentUtilities { return component.content(); } else { // we deserialize then serialize again - final TextComponent deserialized = LEGACY_COMPONENT_SERIALIZER.deserialize(content); + final TextComponent deserialized = LEGACY_COMPONENT_SERIALIZER + // prevents stack overflow since adventure seems to just ignore invalid codes + .deserialize(content.replaceAll("ยง[^a-f0-9rlonmk]", "")); return isDiscord ? stringifyDiscordAnsi(deserialized)