Add Universal Vaults (NOT PlayerVaults, inb4)

  • Plugin Name: Universal Vaults

    Spigot: https://www.spigotmc.org/resources/univ…-1-19-2.106973/

    GitHub: https://github.com/ItziSpyder/UniVault

    Live Examples: nbtarchives and univault on Minehut

    What it does:
    UniVault adds a central bank to store shulkers and items into.

    There is a submit command and chest, where players can submit up to 5 things at once. The plugin then checks the items are within the NBT limit per item, and that they are not already in the system.

    Any items that clear those checks are added into the vault.
    Physically, the vault can be accessed by selected chests/barrels/storage devices, or the entire system can be accessed via commands.

    Why should this be added:
    Currently Shulker Kits and other Items with NBT are scattered around both TF and Minecraft at large. On TF, projects have been worked on at different times to archive and preserve these Shulkers, but there is little coordination to this, and many things have been lost.

    Adding UniVault would provide a simple, and fairly clean way to preserve and locate Shulkers and Items, with a decent bit of configuration options available, to customize it to TF, and prevent abuse.

    My thoughts:

    I'm sure there's some incompatibility with TFM (as usual), but since we'll be moving away from TFM in the future, I see no reason not to consider this.
    For those worried about NBT Abuse, you can configure how much NBT is allowed per item submitted, and automatically reject anything outside that limit. This, combined with some of the checks TF already has in place concerning NBT Data, should prevent abuse.

    If you want to see it in action, check out the Minehut stuff mentioned above.
    (Admins, please notify me and/or remove this bit + the Minehut mentions if you deem it Advertising. I'm including it because I think it's pretty relevant as an example of the plugin in action).

    "Dude, my screen is completely purple, I see Barney and I still die" - ExtesyyTV, 2022

  • Kadalyst January 1, 2023 at 9:06 PM

    Changed the title of the thread from “Add Universal Vaults” to “Add Universal Vaults (NOT PlayerVaults, inb4)”.
  • Uhhh, after reading stuff on Discord, I gather it's poorly written, so I apologize for not investigating it further.


    Would this be installed instead of PlayerVaults?

    I only edited it and added PV in the title as someone on Discord got confused right after I made the thread and thought this was like PV.

    Given this is like a central storage bank and PV is more a personal storage bank.... no, it wouldn't be instead of it.

    "Dude, my screen is completely purple, I see Barney and I still die" - ExtesyyTV, 2022

  • So I had a look through the plugin's source code and noticed that there were multiple problems with the plugin. Here's a list of what I found:

    • The plugin project does not have an apparent way to compile it
      The plugin's GitHub doesn't have any Maven or Gradle project files, so unless you set up that shit manually yourself, you're shit out of luck.
    • A path transversal exploit exists in the plugin
      The plugin allows you to load in "hand-picked" chest data from a file automatically by reading the chest name. The problem is that the developer didn't add any checks to sanitize what you feed it as input. Simply put, by manipulating the name of a chest in a specific way that you then place down, you can access any file on the server and load it. I could not even begin to explain just how bad that is.
    • It loads data on the main thread
      This problem also seems to exist with the PlayerVaultsX plugin, but it needs to be mentioned here. The plugin loads shelf and hand-picked chest data on the main thread, which mean a player could effortlessly lag and crash the server by spamming the fuck out of the command that opens shelves/hand-picked shit where a lot of data is present. I tested this concept with PlayerVaultsX, and it worked surprisingly well at lagging the shit out of the development server:
      w2Snb6HqIDMdCx2p.png
      UBVTM7DtK6By0pLY.png

    These issues are pretty major, and while I love the idea the plugin has, in implementation it has some serious issues that prevent me from putting it on the server at this moment in time.

  • A path transversal exploit exists in the plugin

    Holy shit that is bad.

    Again, sorry for not checking it out more before suggesting 😬

    Hopefully it will be updated someday to fix these issues, and TF can use it. Given it's fairly new, I have some hope it will.

    Should I do anything with the thread like mark it as Closed/Denied, or should it stay open for more vouches, in the hope the issues will eventually be fixed?

    "Dude, my screen is completely purple, I see Barney and I still die" - ExtesyyTV, 2022

  • Simply put, by manipulating the name of a chest in a specific way that you then place down, you can access any file on the server and load it. I could not even begin to explain just how bad that is.

    Not that big of a deal, we just need another Custom Coded Plugin:tm: to disable half of the games features to fix the issue

    ピバラ。