Remove URL open events from Extension components

Author: AuroraLS3

Plan/common/src/main/java/com/djrapitops/plan/extension/implementation/providers/gathering/DataValueGatherer.java

@@ -47,6 +47,7 @@
 import com.djrapitops.plan.storage.database.Database;
 import com.djrapitops.plan.utilities.logging.ErrorContext;
 import com.djrapitops.plan.utilities.logging.ErrorLogger;
+import org.apache.commons.lang3.Strings;
 
 import java.util.HashSet;
 import java.util.Optional;
@@ -459,6 +460,9 @@ private String getComponentAsJson(Component component) {
         if (json.length() > ComponentDataValue.MAX_LENGTH) {
             json = "{\"text\":\"<Component too long>\"}";
         }
+        if (Strings.CI.containsAny(json, "javascript", "clickEvent", "hoverEvent", "open_url", "copy_to_clipboard", "\"action\"", "&#", "\0", "\\")) {
+            json = "{\"text\":\"<Component contained disallowed words or characters>\"}";
+        }
         return json;
     }
 

Plan/common/src/main/java/com/djrapitops/plan/storage/database/Patches.java

@@ -89,7 +89,8 @@ public static Patch[] getAll(PluginLogger logger, PlanConfig config) {
                 new CookieTableIpAddressPatch(),
                 new TPSTableMSPTPatch(),
                 new AllowlistIncorrectUniqueConstraintPatch(),
-                new TPSTableIdPatch()
+                new TPSTableIdPatch(),
+                new DeleteUrlOpenEventsFromExtensionComponentsPatch()
         };
     }
 }

Plan/common/src/main/java/com/djrapitops/plan/storage/database/transactions/patches/DeleteUrlOpenEventsFromExtensionComponentsPatch.java

@@ -0,0 +1,80 @@
+/*
+ *  This file is part of Player Analytics (Plan).
+ *
+ *  Plan is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Lesser General Public License v3 as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  Plan is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public License
+ *  along with Plan. If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.djrapitops.plan.storage.database.transactions.patches;
+
+import com.djrapitops.plan.storage.database.sql.tables.extension.ExtensionPlayerValueTable;
+import com.djrapitops.plan.storage.database.sql.tables.extension.ExtensionServerValueTable;
+
+import static com.djrapitops.plan.storage.database.sql.building.Sql.*;
+
+/**
+ * @author AuroraLS3
+ */
+public class DeleteUrlOpenEventsFromExtensionComponentsPatch extends Patch {
+
+    String[] invalidStrings = new String[]{
+            "javascript", "clickEvent", "hoverEvent", "open_url", "copy_to_clipboard", "\"action\"", "&#", "\\"
+    };
+
+    @Override
+    public boolean hasBeenApplied() {
+        for (String invalidString : invalidStrings) {
+            String playerSql = SELECT + ExtensionPlayerValueTable.COMPONENT_VALUE +
+                    FROM + ExtensionPlayerValueTable.TABLE_NAME +
+                    WHERE + ExtensionPlayerValueTable.COMPONENT_VALUE + " LIKE '%" + invalidString + "%'";
+            if (query(db -> db.queryOptional(playerSql, row -> row.getString(1)))
+                    .isPresent()) {
+                return false;
+            }
+            String serverSql = SELECT + ExtensionServerValueTable.COMPONENT_VALUE +
+                    FROM + ExtensionServerValueTable.TABLE_NAME +
+                    WHERE + ExtensionServerValueTable.COMPONENT_VALUE + " LIKE '%" + invalidString + "%'";
+            if (query(db -> db.queryOptional(serverSql, row -> row.getString(1)))
+                    .isPresent()) {
+                return false;
+            }
+            String nullCharSql = SELECT + ExtensionPlayerValueTable.COMPONENT_VALUE +
+                    FROM + ExtensionPlayerValueTable.TABLE_NAME +
+                    WHERE + "INSTR(" + ExtensionPlayerValueTable.COMPONENT_VALUE + ", CHAR(0))";
+            if (query(db -> db.queryOptional(nullCharSql, row -> row.getString(1)))
+                    .isPresent()) {
+                return false;
+            }
+            String nullCharServerSql = SELECT + ExtensionServerValueTable.COMPONENT_VALUE +
+                    FROM + ExtensionPlayerValueTable.TABLE_NAME +
+                    WHERE + "INSTR(" + ExtensionServerValueTable.COMPONENT_VALUE + ", CHAR(0))";
+            if (query(db -> db.queryOptional(nullCharServerSql, row -> row.getString(1)))
+                    .isPresent()) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    @Override
+    protected void applyPatch() {
+        for (String invalidString : invalidStrings) {
+            execute("DELETE FROM " + ExtensionPlayerValueTable.TABLE_NAME +
+                    WHERE + ExtensionPlayerValueTable.COMPONENT_VALUE + " LIKE '%" + invalidString + "%'" +
+                    OR + "INSTR(" + ExtensionPlayerValueTable.COMPONENT_VALUE + ", CHAR(0))");
+            execute("DELETE FROM " + ExtensionServerValueTable.TABLE_NAME +
+                    WHERE + ExtensionServerValueTable.COMPONENT_VALUE + " LIKE '%" + invalidString + "%'" +
+                    OR + "INSTR(" + ExtensionServerValueTable.COMPONENT_VALUE + ", CHAR(0))");
+        }
+    }
+}

Plan/common/src/test/java/com/djrapitops/plan/storage/database/queries/ExtensionsDatabaseTest.java

@@ -25,6 +25,7 @@
 import com.djrapitops.plan.extension.annotation.*;
 import com.djrapitops.plan.extension.builder.ExtensionDataBuilder;
 import com.djrapitops.plan.extension.icon.Color;
+import com.djrapitops.plan.extension.icon.Family;
 import com.djrapitops.plan.extension.icon.Icon;
 import com.djrapitops.plan.extension.implementation.results.*;
 import com.djrapitops.plan.extension.implementation.storage.queries.ExtensionPlayerDataQuery;
@@ -73,6 +74,7 @@ default void unregisterExtensions() {
         extensionService.unregister(new ConditionalExtension());
         extensionService.unregister(new TableExtension());
         extensionService.unregister(new ThrowingExtension());
+        extensionService.unregister(new ClickEventTestExtension());
     }
 
     @Test
@@ -432,6 +434,43 @@ default void extensionExceptionsAreCaught() {
         assertEquals(5, TestErrorLogger.getCaught().size(), () -> "Not all exceptions got logged, logged exceptions: " + TestErrorLogger.getCaught().toString());
     }
 
+    @Test
+    default void clickEventsNotAllowed() {
+        ExtensionSvc extensionService = extensionService();
+        extensionService.register(new ClickEventTestExtension());
+
+        extensionService.updateServerValues(CallEvents.MANUAL);
+
+        String expected = "{\"text\":\"<Component contained disallowed words or characters>\"}";
+        String result = db().query(new ExtensionServerDataQuery(serverUUID()))
+                .get(0)
+                .getTabs()
+                .get(0)
+                .getComponent("clickEventComponent")
+                .orElseThrow(AssertionError::new)
+                .getFormattedValue();
+        assertEquals(expected, result);
+    }
+
+    @Test
+    default void clickEventsNotAllowedForPlayer() {
+        ExtensionSvc extensionService = extensionService();
+        extensionService.register(new ClickEventTestExtension());
+
+        extensionService.updatePlayerValues(TestConstants.PLAYER_ONE_UUID, TestConstants.PLAYER_ONE_NAME, CallEvents.MANUAL);
+
+        String expected = "{\"text\":\"<Component contained disallowed words or characters>\"}";
+        String result = db().query(new ExtensionPlayerDataQuery(TestConstants.PLAYER_ONE_UUID))
+                .get(serverUUID())
+                .get(0)
+                .getTabs()
+                .get(0)
+                .getComponent("clickEventPlayerComponent")
+                .orElseThrow(AssertionError::new)
+                .getFormattedValue();
+        assertEquals(expected, result);
+    }
+
 
     @PluginInfo(name = "ConditionalExtension")
     class ConditionalExtension implements DataExtension {
@@ -654,4 +693,37 @@ public ExtensionDataBuilder builder3() {
             throw new NoSuchMethodError();
         }
     }
+
+    @PluginInfo(
+            name = "Component with click event",
+            iconName = "bug",
+            iconFamily = Family.SOLID,
+            color = Color.RED
+    )
+    public class ClickEventTestExtension implements DataExtension {
+        @ComponentProvider(
+                text = "Component with click event",
+                description = "",
+                iconName = "bug",
+                iconFamily = Family.SOLID,
+                iconColor = Color.RED
+        )
+        public Component clickEventComponent() {
+            String json = "{\"text\":\"Click here\",\"color\":\"red\",\"underlined\":true,\"clickEvent\":{\"action\":\"open_url\",\"value\":\"javascript:alert(document.cookie)\"}}";
+            return ComponentService.getInstance().fromJson(json);
+        }
+
+
+        @ComponentProvider(
+                text = "Component with click event",
+                description = "",
+                iconName = "bug",
+                iconFamily = Family.SOLID,
+                iconColor = Color.RED
+        )
+        public Component clickEventPlayerComponent(UUID playerUUID) {
+            String json = "{\"text\":\"Click here\",\"color\":\"red\",\"underlined\":true,\"clickEvent\":{\"action\":\"open_url\",\"value\":\"javascript:alert(document.cookie)\"}}";
+            return ComponentService.getInstance().fromJson(json);
+        }
+    }
 }