search

PrismarineJS / mineflayer

Create Minecraft bots with a powerful, stable, and high level JavaScript API.
https://prismarinejs.github.io/mineflayer/
MIT License
5.07k stars 921 forks source link

brackets crash mineflayer bot #2252

Open murashkayt opened 3 years ago

murashkayt commented 3 years ago

Versions

Detailed description of a problem

When a message with a large number of brackets is sent in the chat, the bot is overloaded and leaves the server after a minute.

What did you try yet?

Did you try any method from the API? No. Did you try any example? Any error from those? no.

Your current code

const mineflayer = require('mineflayer')

const bot = mineflayer.createBot({
  host: 'localhost',
  username: 'bot',
  version: '1.12.2'
})

bot.on('message', (message) => {
    console.log(message.toAnsi())
})

Expected behavior

No crashes

Additional context

vsc with minecraft Screenshot_97 this problem is observed not only on the vanilla server, but also on the spigot server.

here's a screenshot of the task manager when bot is overloaded Screenshot_98

you can crash the bot by writing a lot of brackets in the chat. if the bot is running on someone else's computer, it is quite possible to overload the computer owner's system.

my friend told me that it is possible to fix this problem by writing return in lib/plugins/chat.js after 121 lines. but this will cut the functionality of mineflayer and bot.chatAddPattern will not work.

U5B commented 3 years ago

That is a regex dos, also known as a regex denial of service.

Can you try commenting out https://github.com/PrismarineJS/mineflayer/blob/db8e6931740cca8300105dd32ef2a5dac5dcc416/lib/plugins/chat.js#L105? I believe the USERNAME_REGEX is causing the issue.

https://regexr.com/673s2 shows that many () causes the regex parsing to slow down heavily.

U5B commented 2 years ago

temporary workaround https://github.com/PrismarineJS/mineflayer/issues/2328#issuecomment-985246695