JorelAli / CommandAPI

A Bukkit/Spigot API for the command UI introduced in Minecraft 1.13
https://commandapi.jorel.dev
MIT License
531 stars 67 forks source link

Highlight potential misuse of PlayerArgument and OfflinePlayerArgument #586

Open XHawk87 opened 2 months ago

XHawk87 commented 2 months ago

Documentation URL

https://commandapi.jorel.dev/9.5.0/argument_entities.html

What the documentation currently says

Player argument The PlayerArgument class is very similar (almost identical) to EntitySelectorArgument.OnePlayer. It returns a Player object and requires the player to be online.

Developer's Note:

The PlayerArgument internally uses the GameProfile class from Mojang's authlib, which means that this argument has a slight performance overhead compared to using EntitySelectorArgument.OnePlayer

OfflinePlayer argument The OfflinePlayerArgument class is identical to the PlayerArgument class, but instead of returning a Player object, it returns an OfflinePlayer object. Internally, this argument makes calls to Mojang servers (via Mojang's authlib), meaning it can be slightly slower than alternative methods (such as using a StringArgument and suggesting a list of existing offline players).

The OfflinePlayerArgument should be able to retrieve players that have never joined the server before.

Proposed fix

Relating to this discussion on Discord

Although the performance impact is small individually, it can be exploited by malicious players to stall a server by spamming it repeatedly. This vulnerability should be made known so that appropriate permissions can be set. Suggest using red block text instead of grey.

JorelAli commented 2 months ago

Would also be nice to have this brought to developer's attention in the upcoming release notes as well as documentation changelog.