NotEvil/TiedUp-
2
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(P0): 3 exploit fixes from swarm review

Browse Source 
- RISK-006: Mittens bypass lock/unlock — add HANDS check in PacketV2SelfLock/Unlock
- RISK-002: Struggle re-roll exploit — reject-if-active in startContinuous*Session()
- RISK-003: Non-V2 locked items bypass conflict resolution — check ILockable before swap
This commit is contained in:
NotEvil
2026-04-16 10:49:04 +02:00
parent bce0598059
commit d75b74f9f9
4 changed files with 24 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/main/java/com/tiedup/remake/minigame/StruggleSessionManager.java
View File

@@ -83,16 +83,16 @@ public class StruggleSessionManager {
) {
UUID playerId = player.getUUID();
// Remove any existing continuous session
// RISK-002 fix: reject if active session exists (prevents direction re-roll exploit)
ContinuousStruggleMiniGameState existing = continuousSessions.get(
playerId
);
if (existing != null) {
TiedUpMod.LOGGER.debug(
"[StruggleSessionManager] Replacing existing continuous struggle session for {}",
"[StruggleSessionManager] Rejected continuous session: active session already exists for {}",
player.getName().getString()
);
continuousSessions.remove(playerId);
return null;
}
// Create new session with configurable rate
@@ -146,12 +146,16 @@ public class StruggleSessionManager {
) {
UUID playerId = player.getUUID();
// Remove any existing session
// RISK-002 fix: reject if active session exists (prevents direction re-roll exploit)
ContinuousStruggleMiniGameState existing = continuousSessions.get(
playerId
);
if (existing != null) {
continuousSessions.remove(playerId);
TiedUpMod.LOGGER.debug(
"[StruggleSessionManager] Rejected accessory session: active session already exists for {}",
player.getName().getString()
);
return null;
}
// Create new session with target slot and configurable rate