Able to manipulate /invsee without modify permissions #6241
Description
Type of bug
Exploit
/ess dump all output
(omitted as I want to keep the server log private, can be provided privately)
Error log (if applicable)
No response
Bug description
People can modify player inventories using /invsee without permissions for it, given that the server is under heavy GC pressure. We believe this is because User#isInvSee gets flipped in the midst of garbage collection:
This could be because the user cache relies on soft references for holding users.
Steps to reproduce
- Boot a server with low memory
- Open player inventory using /invsee on an account that doesn't have permissions to modify
- Cause frequent GCs by changing the view distance / moving around in the world & teleporting around
- Eventually, the player holding /invsee open will be able to modify that inventory
This behaviour has been tested & verified on the latest EssentialsX build on both a 1.21.1 & 1.8.8 paper server;
Here are videos of me reproducing the issue on our test servers 1.8.8 and 1.21.1
Expected behaviour
Users should not be able to manipulate inventories with /invsee unless they have permissions to do so
Actual behaviour
When garbage collecting, user objects for online players seem to get caught in the collection, causing User#isInvSee to get flipped to false, resulting in the ability to modify a player's inventory however they want
Additional Information
No response