wiremod / wire

Garry's Mod add-on that allows users to wire up components in order to make more elaborate automatic and user-controlled contraptions.
http://www.wiremod.com
Apache License 2.0
554 stars 330 forks source link

Wire entities not checking permission before creating constraint lead to exploit with AdvDupe2 #2973

Open Bonyoze opened 9 months ago

Bonyoze commented 9 months ago

Describe the bug The Wire Socket and Wire Plug create a weld constraint between one another without checking WireLib.CanTool. This lets anyone create a plug and link it to another player's socket, allowing them to copy the entire build with AdvDupe2, despite the player not giving permission at all.

The Wire Grabber does check WireLib.CanTool but only for its owner and not the owner of the prop being grabbed. However, it still prevents duplication of the constrained entities since it overwrites the type of the constraint. https://github.com/wiremod/wire/blob/53a70a23315d210db5ff9d0082a6ca38b809182d/lua/entities/gmod_wire_grabber.lua#L106-L109

To Reproduce Steps to reproduce the behavior: Make sure both players do not have permission to touch each other's props

  1. Have Player1 place a Wire Socket on their own build
  2. Have Player2 spawn a Wire Plug and link it to the socket
  3. Have Player2 copy the plug with AdvDupe2
  4. The entire build belonging to Player1 should now be copied by Player2

Expected behavior Both owners should need to give tool permission for the constraint to be created. Optionally the constraint type can be overwritten to prevent duplication of it and the other connected entities entirely.