Merge pull request #17 from cloudnode-pro/patch/description-security

Security fix in account names, transaction descriptions and pos descriptions

src/main/java/pro/cloudnode/smp/bankaccounts/commands/BankCommand.java

@@ -397,6 +397,14 @@ public static void setName(@NotNull CommandSender sender, String[] args, String
             String name = String.join(" ", Arrays.copyOfRange(args, 1, args.length)).trim();
             name = name.length() > 32 ? name.substring(0, 32) : name;
             name = name.length() == 0 ? null : name;
+
+            if (name != null && (name.contains("<") || name.contains(">"))) {
+                sender.sendMessage(MiniMessage.miniMessage().deserialize(Objects.requireNonNull(BankAccounts.getInstance().getConfig().getString("messages.errors.disallowed-characters")),
+                        Placeholder.unparsed("characters", "<>")
+                ));
+                return;
+            }
+
             account.get().name = name;
             account.get().update();
             sender.sendMessage(Account.placeholders(Objects.requireNonNull(BankAccounts.getInstance().getConfig().getString("messages.name-set")), account.get()));
@@ -532,6 +540,13 @@ public static void transfer(@NotNull CommandSender sender, String[] args, String
         String description = args.length > 3 ? String.join(" ", Arrays.copyOfRange(args, 3, args.length)).trim() : null;
         if (description != null && description.length() > 64) description = description.substring(0, 64);
 
+        if (description != null && (description.contains("<") || description.contains(">"))) {
+            sender.sendMessage(MiniMessage.miniMessage().deserialize(Objects.requireNonNull(BankAccounts.getInstance().getConfig().getString("messages.errors.disallowed-characters")),
+                    Placeholder.unparsed("characters", "<>")
+            ));
+            return;
+        }
+
         if (!confirm && BankAccounts.getInstance().getConfig().getBoolean("transfer-confirmation.enabled")) {
             // show confirmation if amount is above this
             BigDecimal minAmount = BigDecimal.valueOf(BankAccounts.getInstance().getConfig().getDouble("transfer-confirmation.min-amount"));

src/main/java/pro/cloudnode/smp/bankaccounts/commands/POSCommand.java

@@ -110,6 +110,13 @@ public boolean onCommand(final @NotNull CommandSender sender, final @NotNull Com
 
             final @Nullable String description = args.length > 2 ? String.join(" ", Arrays.copyOfRange(args, 2, args.length)) : null;
 
+            if (description != null && (description.contains("<") || description.contains(">"))) {
+                sender.sendMessage(MiniMessage.miniMessage().deserialize(Objects.requireNonNull(BankAccounts.getInstance().getConfig().getString("messages.errors.disallowed-characters")),
+                        Placeholder.unparsed("characters", "<>")
+                ));
+                return true;
+            }
+
             final POS pos = new POS(target.getLocation(), price, description, account.get(), new Date());
             pos.save();
             player.sendMessage(replacePlaceholders(Objects.requireNonNull(BankAccounts.getInstance().getConfig().getString("messages.pos-created")), pos));

src/main/resources/config.yml

@@ -280,6 +280,9 @@ messages:
         no-card: "<red>(!) You must hold your bank card to use this.</red>"
         pos-items-changed: "<red>(!) The items in the chest have changed. POS cancelled.</red>"
         pos-create-business-only: "<red>(!) You can only create a POS with a business account.</red>"
+        # Provided string includes disallowed characters
+        # Placeholder: <characters> - the disallowed characters
+        disallowed-characters: "<red>(!) The provided string contains disallowed characters: <gray><characters></gray></red>"
 
     # Account balance
     # Available placeholders: