search

magemonkeystudio / genesis

MIT License
8 stars 8 forks source link

[Urgent, Exploitable] PriceType ITEM ignores item custom name, lore, flags, data #18

Closed TraipsingShadow closed 1 year ago

TraipsingShadow commented 1 year ago

Minecraft Version: 1.19.3 Server: paper-1.19.3-375.jar BossShopPro jar/version: bossshoppro-2.1.0-20221231.231026-19.jar

Setting shop's price as ITEM type (tested with PriceType AND) and placing data from said specific item taken from /bs read or manually inputting data can make players still purchase the Shop Item as long as the type of the item is there.

To put it simply, as long as the Player has any item that matches the type of item declared in the Price section, they can purchase the item regardless.

The Exploit, Simulated

Below is a simulation of how the Player can use the exploit.

  PowerSword:
    MenuItem:
      - 'name:#96031APower Sword'
      - 'lore:&f&r'
      - 'lore:&r#96031APrice:'
      - 'lore:&r#96031A2500 Coins'
      - 'lore:&r#96031ASpecial Cobblestone'
      - 'type:wooden_sword'
      - 'hideflags:HIDE_ATTRIBUTES#HIDE_ENCHANTS#HIDE_UNBREAKABLE#HIDE_DESTROYS#HIDE_PLACED_ON#HIDE_POTION_EFFECTS#HIDE_DYE'
    RewardType: command
    Reward:
      - itemgen give %player% powersword
    PriceType: AND
    Price:
      PriceType1: ITEM
      Price1:
        - type:COBBLESTONE
        - amount:10
        - durability:0
        - name:#96031ASpecial Cobblestone
        - lore1:#96031ACan be bought from the fictional ProMCTeam Shop!
        - lore2:#96031ASample Item
        - itemflag:HIDE_ENCHANTS
      PriceType2: MONEY
      Price2: '2500'
    Message: 'Purchased.'
    InventoryLocation: 1

The Player first opens the shop and sees the item. The Player has said Vault money of 2500 Coins. However, he does not have the "Special Cobblestone" item which can only be bought from the fictional "ProMCTeam Shop". He has, however, ten pieces of normal cobblestone he got from mining.

Expected Result:

As soon as he clicks the item to try and buy it, he receives the message telling him he does not have the item the Shop is asking for.

Actual Result:

As soon as he clicks the item to try and buy it, both his money and the cobblestone he mined (which did NOT have the special attributes, name, lore, and flags of the said item) gets taken as valid payment and the Reward is issued. The player has completely bypassed the explicit requirement of the Item declared in the shop.

This is dangerous. So far, the only fix I've done (or can do) is closing all server shops until further notice.

I am not sure if this is a widespread issue or if my use-case is common, but I cannot employ any other fix as it is inherent to the plugin. I made use of the plugin's features and have read the docs to deploy it on my server. Unfortunately, this (what I would consider at least) major exploit has left everything in a standstill.

I believe this is an issue the devs should consider to look into soon.

lijinhong11 commented 1 year ago

This is indeed an important problem in previous versions and even the original BossShopPro. We already know it, but it may be difficult to fix it.