Skip to content

Able to manipulate /invsee without modify permissions #6241

Description

@il-mega

Type of bug

Exploit

/ess dump all output

(omitted as I want to keep the server log private, can be provided privately)

Error log (if applicable)

No response

Bug description

People can modify player inventories using /invsee without permissions for it, given that the server is under heavy GC pressure. We believe this is because User#isInvSee gets flipped in the midst of garbage collection:
Image
This could be because the user cache relies on soft references for holding users.
Image

Steps to reproduce

  1. Boot a server with low memory
  2. Open player inventory using /invsee on an account that doesn't have permissions to modify
  3. Cause frequent GCs by changing the view distance / moving around in the world & teleporting around
  4. Eventually, the player holding /invsee open will be able to modify that inventory

This behaviour has been tested & verified on the latest EssentialsX build on both a 1.21.1 & 1.8.8 paper server;
Image

Here are videos of me reproducing the issue on our test servers 1.8.8 and 1.21.1

Expected behaviour

Users should not be able to manipulate inventories with /invsee unless they have permissions to do so

Actual behaviour

When garbage collecting, user objects for online players seem to get caught in the collection, causing User#isInvSee to get flipped to false, resulting in the ability to modify a player's inventory however they want

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug: unconfirmedPotential bugs that need replicating to verify.

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions