[BUG] Minecolonies Builder allows you to smuggle items into servers

LinkTheLinker commented 7 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Are you using the latest MineColonies Version?

[X] I am running the latest alpha version of MineColonies for my Minecraft version.

Did you check on the Wiki? or ask on Discord?

[X] I checked the MineColonies Wiki and made sure my issue is not covered there. Or I was sent from discord to open an issue here.

What were you playing at the time? Were you able to reproduce it in both settings?

[X] Single Player
[X] Multi Player

Minecraft Version

1.20.1

MineColonies Version

1.20.2-1.1.385-BETA

Structurize Version

1.20.1-1.0.674-BETA

Related Mods and their Versions

Forge 1.20.1 - 47.2.0
blockui-1.20.1-1.0.128-BETA
donum_ornamentum-1.20-1.0.150-BETA-universal
multipistion-1.20-1.2.31-ALPHA
towntalk-1.20.1-1.0.1

Current Behavior

Link to Video: https://drive.google.com/file/d/1AU1ABGryISkHu5z109Ye1DL8Yd6O9jBw/view?usp=sharing

The video shows that the items in the Minecart with Chest can be created from thin air by the Builder with a scan. While command blocks are used, creative items or items with Custom NBT data can be "smuggled" into multiplayer servers. I have tested this on an actual server running an earlier version of Minecolonies with great success. Furthermore, this can also be executed via Minecart with Hopper and Boats with Chests.

Expected Behavior

What should happen is when making the scan of the Minecart with Chest is it should show the resources needed for the items that are contained in the inventory. Furthermore, the scan should not allow the smuggling of illegal items onto servers.

Reproduction Steps

Boot up a modpack that purely has the Minecolonies mod with the other mods required to boot up Minecolonies or even a modpack with Minecolonies like ATM 9.
Start a new world with Creative mode and Allow Cheats set to ON.
Get a town hall block, builder's hut block, build tool, scan tool, 64 rails, a Minecart with Chest and the desired item(s) you want to "smuggle" onto a server.
Place the rail, Minecart with Chest and put the desired item(s) into the Chest. Then, create a scan with the Scan tool.
Build the town hall with the build tool, and press "assign to builder".
Build the builder's hut with the build tool, and press "assign to builder".
Once a citizen is assigned a builder, build the scan created in step 4 and press "assign to builder".
Give the builder a stack of rails.
The builder will build the Minecart with Chest and you will find the items you put into the initial Minecart with Chest in the build.

Logs

https://gist.github.com/LinkTheLinker/b91bf627b604518fdbcb4d010f17fdbc

Anything else?

Note: This also functions in the 1.19.2 versions of Minecolonies, that were also tested in both singleplayer and multiplayer.

Thodor12 commented 7 months ago

@Raycoms Could this be considered a security vulnerability? Even though command blocks aren't usable by a non OP, it could still be used as an easy way to cheat in items.

Raycoms commented 7 months ago

Minecart with chests not requiring the items is a bug.

Thodor12 commented 7 months ago

Should those be separate placement handlers, or is there generic code that checks inventories of all entities?

Raycoms commented 7 months ago

There is generic code for entities

Raycoms commented 7 months ago

Entities dont have placement handlers (at least yet)

ldtteam / Structurize