Prohibit arbitrary class resolution in content patches

2025-12-06 02:40:23 -08:00 · 2025-10-26 16:48:51 -04:00 · 2025-10-26 16:48:51 -04:00 · a226a74578
commit a226a74578
parent ed36204bed
4 changed files with 25 additions and 2 deletions
--- a/core/src/mindustry/mod/ContentParser.java
+++ b/core/src/mindustry/mod/ContentParser.java
@ -357,6 +357,15 @@ public class ContentParser{
    Content currentContent;

    private Json parser = new Json(){
+        @Override
+        protected <T> Class<T> resolveClass(String className){
+            if(allowClassResolution){
+                return super.resolveClass(className);
+            }else{
+                throw new SerializationException("Resolving arbitrary classes (" + className + ") is not allowed. Use short names for classes only (without the package prefix).");
+            }
+        }
+
        @Override
        public <T> T readValue(Class<T> type, Class elementType, JsonValue jsonData, Class keyType){
            T t = internalRead(type, elementType, jsonData, keyType);
--- a/core/src/mindustry/mod/ContentPatcher.java
+++ b/core/src/mindustry/mod/ContentPatcher.java
@ -375,7 +375,7 @@ public class ContentPatcher{
                    try{
                        setter.get(parser.getJson().readValue(metadata.type, metadata.elementType, jsv));
                    }catch(Throwable e){
-                        warn("Failed to read value @.@ = @: @ (type = @ elementType = @)\n@", object, field, value, e.getMessage(), metadata.type, metadata.elementType, Strings.getStackTrace(e));
+                        warn("Failed to read value @.@ = @: (type = @ elementType = @)\n@", object, field, value, metadata.type, metadata.elementType, Strings.getSimpleMessages(e));
                    }
                   parser.listeners.pop();
                }else{
--- a/gradle.properties
+++ b/gradle.properties
@ -26,4 +26,4 @@ org.gradle.caching=true
 org.gradle.internal.http.socketTimeout=100000
 org.gradle.internal.http.connectionTimeout=100000
 android.enableR8.fullMode=false
-archash=c8f3bd901b
+archash=75fffa01c8
--- a/tests/src/test/java/PatcherTests.java
+++ b/tests/src/test/java/PatcherTests.java
@ -1,5 +1,6 @@
 import arc.struct.*;
 import mindustry.*;
+import mindustry.ai.*;
 import mindustry.content.*;
 import mindustry.entities.abilities.*;
 import mindustry.entities.bullet.*;
@ -266,6 +267,19 @@ public class PatcherTests{
        assertEquals(0, Blocks.grass.attributes.get(Attribute.heat));
    }

+    @Test
+    void testNoResolution() throws Exception{
+        String name = Pathfinder.class.getCanonicalName();
+
+        Vars.state.patcher.apply(Seq.with("""
+        block.conveyor.lastConfig: {
+            class: %theClass%
+        }
+        """.replace("%theClass%", name)));
+
+        assertEquals(1, Vars.state.patcher.patches.first().warnings.size);
+    }
+
    @Test
    void testSetMultiAdd() throws Exception{
        Vars.state.patcher.apply(Seq.with("""