Patch SQL Injection vulnerability

This commit is contained in:
AlexTheCoder 2018-09-15 15:18:54 -05:00
parent 6af25bd922
commit 3bf844f9bb

View File

@ -17,7 +17,7 @@ import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference; import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiConsumer; import java.util.function.BiConsumer;
import java.util.function.Consumer; import java.util.function.Consumer;
import java.util.stream.Collectors; import java.util.regex.Pattern;
import org.bukkit.Bukkit; import org.bukkit.Bukkit;
import org.bukkit.entity.Player; import org.bukkit.entity.Player;
@ -84,6 +84,8 @@ public class CoreClientManager extends MiniPlugin
private static final Map<String, Object> CLIENT_LOGIN_LOCKS = new ConcurrentHashMap<>(); private static final Map<String, Object> CLIENT_LOGIN_LOCKS = new ConcurrentHashMap<>();
private static final Pattern VALID_USERNAME = Pattern.compile("[a-zA-Z0-9_]{1,16}");
private JavaPlugin _plugin; private JavaPlugin _plugin;
private AccountRepository _repository; private AccountRepository _repository;
private Map<UUID, CoreClient> _clientList = new HashMap<>(); private Map<UUID, CoreClient> _clientList = new HashMap<>();
@ -365,6 +367,11 @@ public class CoreClientManager extends MiniPlugin
public void loadClientByName(String playerName, Consumer<CoreClient> loadedClient) public void loadClientByName(String playerName, Consumer<CoreClient> loadedClient)
{ {
if (!VALID_USERNAME.matcher(playerName).find())
{
return;
}
runAsync(() -> runAsync(() ->
{ {
AtomicReference<CoreClient> loaded = new AtomicReference<>(); AtomicReference<CoreClient> loaded = new AtomicReference<>();
@ -436,6 +443,11 @@ public class CoreClientManager extends MiniPlugin
public void loadClientByNameSync(final String playerName, final Runnable runnable) public void loadClientByNameSync(final String playerName, final Runnable runnable)
{ {
if (!VALID_USERNAME.matcher(playerName).find())
{
return;
}
try try
{ {
ClientToken token = null; ClientToken token = null;