MirrorHub/authlib-injector
0
0
Fork 1
mirror of https://github.com/yushijinhun/authlib-injector.git synced 2024-11-10 20:01:16 +01:00
Code Issues Projects Releases Packages Wiki Activity

use base64 to encode prefetched data

Browse source 
this prevents commandline injection
This commit is contained in:
yushijinhun 2018-02-18 09:24:03 +08:00
parent 83dcd8380f
commit c7866c1dc5
No known key found for this signature in database
GPG key ID: 5BC167F73EA558E4
3 changed files with 21 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/main/java/org/to2mbn/authlibinjector/AuthlibInjector.java
View file

@ -1,11 +1,14 @@
package org.to2mbn.authlibinjector; package org.to2mbn.authlibinjector;
import static java.nio.charset.StandardCharsets.UTF_8;
import static java.util.Optional.empty; import static java.util.Optional.empty;
import static java.util.Optional.of; import static java.util.Optional.of;
import static org.to2mbn.authlibinjector.util.IOUtils.readURL; import static org.to2mbn.authlibinjector.util.IOUtils.readURL;
import static org.to2mbn.authlibinjector.util.IOUtils.removeNewLines;
import java.io.IOException; import java.io.IOException;
import java.lang.instrument.ClassFileTransformer; import java.lang.instrument.ClassFileTransformer;
import java.text.MessageFormat; import java.text.MessageFormat;
import java.util.Base64;
import java.util.Optional; import java.util.Optional;
import java.util.function.Consumer; import java.util.function.Consumer;
import org.to2mbn.authlibinjector.transform.ClassTransformer; import org.to2mbn.authlibinjector.transform.ClassTransformer;
@ -56,9 +59,10 @@ public final class AuthlibInjector {
if (apiRoot == null) return empty(); if (apiRoot == null) return empty();
info("api root: {0}", apiRoot); info("api root: {0}", apiRoot);
String metadataResponse = System.getProperty("org.to2mbn.authlibinjector.config.prefetched"); String metadataResponse;
if (metadataResponse == null) { String prefetched = System.getProperty("org.to2mbn.authlibinjector.config.prefetched");
if (prefetched == null) {
info("fetching metadata"); info("fetching metadata");
try { try {
metadataResponse = readURL(apiRoot); metadataResponse = readURL(apiRoot);
@ -69,6 +73,14 @@ public final class AuthlibInjector {
} else { } else {
info("prefetched metadata detected"); info("prefetched metadata detected");
try {
metadataResponse = new String(Base64.getDecoder().decode(removeNewLines(prefetched)), UTF_8);
} catch (IllegalArgumentException e) {
info("unable to decode metadata: {0}\n"
+ "metadata to decode:\n"
+ "{1}", e, prefetched);
return empty();
}
} }
debug("metadata: {0}", metadataResponse); debug("metadata: {0}", metadataResponse);

5
src/main/java/org/to2mbn/authlibinjector/util/IOUtils.java
View file

@ -27,6 +27,11 @@ public final class IOUtils {
return new String(w.toCharArray()); return new String(w.toCharArray());
} }
public static String removeNewLines(String input) {
return input.replace("\n", "")
.replace("\r", "");
}
private IOUtils() {} private IOUtils() {}
} }

3
src/main/java/org/to2mbn/authlibinjector/util/KeyUtils.java
View file

@ -1,5 +1,6 @@
package org.to2mbn.authlibinjector.util; package org.to2mbn.authlibinjector.util;
import static org.to2mbn.authlibinjector.util.IOUtils.removeNewLines;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.KeyFactory; import java.security.KeyFactory;
import java.security.PublicKey; import java.security.PublicKey;
@ -9,7 +10,7 @@ import java.util.Base64;
public final class KeyUtils { public final class KeyUtils {
public static byte[] decodePublicKey(String pem) throws IllegalArgumentException { public static byte[] decodePublicKey(String pem) throws IllegalArgumentException {
pem = pem.replace("\n", ""); pem = removeNewLines(pem);
final String header = "-----BEGIN PUBLIC KEY-----"; final String header = "-----BEGIN PUBLIC KEY-----";
final String end = "-----END PUBLIC KEY-----"; final String end = "-----END PUBLIC KEY-----";
if (pem.startsWith(header) && pem.endsWith(end)) { if (pem.startsWith(header) && pem.endsWith(end)) {