Fix FATAL bug that malicious player could log in through third-party …

…bungeecord/velocity.
SJMC-Dev · Feb 24, 2023 · b01d01e · b01d01e
1 parent e43cc5d
commit b01d01e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/build.gradle b/build.gradle
@@ -5,7 +5,7 @@ plugins {
 }
 
 group = 'work.art1st'
-version = '1.1.0-SNAPSHOT'
+version = '1.1.1-SNAPSHOT'
 
 repositories {
     mavenCentral()

diff --git a/src/main/java/work/art1st/proxiedproxy/ProxiedProxy.java b/src/main/java/work/art1st/proxiedproxy/ProxiedProxy.java
@@ -255,16 +255,19 @@ public void onPreLoginEvent(PreLoginEvent event) throws NoSuchFieldException, Il
                     loginInboundConnection.sendLoginPluginMessage(channel, ForwardingPluginChannel.FORWARDING_REQUEST.getBytes(StandardCharsets.UTF_8), bytes -> {
                         /* Async callback function that stores forwarded player info into cache
                          * Seems that the callback is always invoked before the next event(GameProfileRequestEvent). (Is it guaranteed?) */
-                        if (bytes != null) {
-                            String response = new String(bytes, StandardCharsets.UTF_8);
-                            debugOutput("Received LoginPluginMessage response:");
-                            debugOutput(response);
-                            ForwardingParser parser = new Gson().fromJson(response, ForwardingParser.class);
-                            if (!parser.isTrusted(proxyConfig.trustedEntries)) {
-                                loginInboundConnection.disconnect(Component.text("You are connecting from an untrusted entry."));
-                            }
-                            proxyConfig.profileCache.put(parser.getProfile().getName(), parser);
+                        if (bytes == null) {
+                            loginInboundConnection.disconnect(Component.text("You are connecting from an untrusted entry."));
+                            return;
+                        }
+                        String response = new String(bytes, StandardCharsets.UTF_8);
+                        debugOutput("Received LoginPluginMessage response:");
+                        debugOutput(response);
+                        ForwardingParser parser = new Gson().fromJson(response, ForwardingParser.class);
+                        if (!parser.isTrusted(proxyConfig.trustedEntries)) {
+                            loginInboundConnection.disconnect(Component.text("You are connecting from an untrusted entry."));
+                            return;
                         }
+                        proxyConfig.profileCache.put(parser.getProfile().getName(), parser);
                     });
                     /* Set to offline mode to disable encryption,
                      * since velocity does not support encrypted connection to downstream server. */

diff --git a/src/main/java/work/art1st/proxiedproxy/forwarding/ForwardingParser.java b/src/main/java/work/art1st/proxiedproxy/forwarding/ForwardingParser.java
@@ -120,6 +120,9 @@ private String getSignBody() {
 
     public boolean isTrusted(Map<String, TrustedEntry> entries) {
         TrustedEntry entry = entries.get(entryId);
+        if (profile == null) {
+            return false;
+        }
         if (signature != null) {
             if (entry.getType().equals(VerificationType.RSA)) {
                 try {