Merge pull request #223 from simoleo89/fix/guild-badge-guards

fix(guilds): bound guild management inputs
2026-06-19 15:06:19 +00:00 · 2026-06-17 09:56:28 +02:00
parent cc8efb7382 112796e133
commit 4d4c796ad5
9 changed files with 170 additions and 6 deletions
@@ -441,7 +441,7 @@ public class GuildManager {
    public int getGuildMembersCount(Guild guild, int page, int levelId, String query) {
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection(); PreparedStatement statement = connection.prepareStatement("SELECT COUNT(*) FROM guilds_members INNER JOIN users ON guilds_members.user_id = users.id WHERE guilds_members.guild_id = ?  " + (rankQuery(levelId)) + " AND users.username LIKE ? ORDER BY level_id, member_since ASC")) {
            statement.setInt(1, guild.getId());
-            statement.setString(2, "%" + query + "%");
+            statement.setString(2, "%" + com.eu.habbo.util.SqlLikeEscaper.escape(query) + "%");

            try (ResultSet set = statement.executeQuery()) {
                while (set.next()) {
@@ -21,12 +21,21 @@ public class GuildChangeColorsEvent extends MessageHandler {

        if (guild != null) {
            if (guild.getOwnerId() == this.client.getHabbo().getHabboInfo().getId() || this.client.getHabbo().hasPermission(Permission.ACC_GUILD_ADMIN)) {
-                GuildChangedColorsEvent colorsEvent = new GuildChangedColorsEvent(guild, this.packet.readInt(), this.packet.readInt());
+                int colorOne = this.packet.readInt();
+                int colorTwo = this.packet.readInt();
+
+                if (!Emulator.getGameEnvironment().getGuildManager().symbolColor(colorOne) || !Emulator.getGameEnvironment().getGuildManager().backgroundColor(colorTwo))
+                    return;
+
+                GuildChangedColorsEvent colorsEvent = new GuildChangedColorsEvent(guild, colorOne, colorTwo);
                Emulator.getPluginManager().fireEvent(colorsEvent);

                if (colorsEvent.isCancelled())
                    return;

+                if (!Emulator.getGameEnvironment().getGuildManager().symbolColor(colorsEvent.colorOne) || !Emulator.getGameEnvironment().getGuildManager().backgroundColor(colorsEvent.colorTwo))
+                    return;
+
                if (guild.getColorOne() != colorsEvent.colorOne || guild.getColorTwo() != colorsEvent.colorTwo) {
                    guild.setColorOne(colorsEvent.colorOne);
                    guild.setColorTwo(colorsEvent.colorTwo);
@@ -23,6 +23,10 @@ public class GuildChangeNameDescEvent extends MessageHandler {
            if (guild.getOwnerId() == this.client.getHabbo().getHabboInfo().getId() || this.client.getHabbo().hasPermission(Permission.ACC_GUILD_ADMIN)) {
                String newName = Emulator.getGameEnvironment().getWordFilter().filter(this.packet.readString(), this.client.getHabbo());
                String newDesc = Emulator.getGameEnvironment().getWordFilter().filter(this.packet.readString(), this.client.getHabbo());
+
+                if (!GuildInputLimits.isValidGuildName(newName) || !GuildInputLimits.isValidGuildDescription(newDesc))
+                    return;
+
                GuildChangedNameEvent nameEvent = new GuildChangedNameEvent(guild, newName, newDesc);
                Emulator.getPluginManager().fireEvent(nameEvent);

@@ -32,7 +36,7 @@ public class GuildChangeNameDescEvent extends MessageHandler {
                if (guild.getName().equals(nameEvent.name) && guild.getDescription().equals(nameEvent.description))
                    return;

-                if(nameEvent.name.length() > 29 || nameEvent.description.length() > 254)
+                if (!GuildInputLimits.isValidGuildName(nameEvent.name) || !GuildInputLimits.isValidGuildDescription(nameEvent.description))
                    return;

                guild.setName(nameEvent.name);
@@ -40,12 +40,20 @@ public class GuildChangeSettingsEvent extends MessageHandler {

        if (guild != null) {
            if (guild.getOwnerId() == this.client.getHabbo().getHabboInfo().getId() || this.client.getHabbo().hasPermission(Permission.ACC_GUILD_ADMIN)) {
-                GuildChangedSettingsEvent settingsEvent = new GuildChangedSettingsEvent(guild, this.packet.readInt(), this.packet.readInt() == 0);
+                int state = this.packet.readInt();
+
+                if (state < 0 || state >= GuildState.values().length)
+                    return;
+
+                GuildChangedSettingsEvent settingsEvent = new GuildChangedSettingsEvent(guild, state, this.packet.readInt() == 0);
                Emulator.getPluginManager().fireEvent(settingsEvent);

                if (settingsEvent.isCancelled())
                    return;

+                if (settingsEvent.state < 0 || settingsEvent.state >= GuildState.values().length)
+                    return;
+
                guild.setState(GuildState.valueOf(settingsEvent.state));
                guild.setRights(settingsEvent.rights);

@@ -0,0 +1,17 @@
+package com.eu.habbo.messages.incoming.guilds;
+
+final class GuildInputLimits {
+    static final int MAX_GUILD_NAME_LENGTH = 29;
+    static final int MAX_GUILD_DESCRIPTION_LENGTH = 254;
+
+    private GuildInputLimits() {
+    }
+
+    static boolean isValidGuildName(String name) {
+        return name != null && !name.isBlank() && name.length() <= MAX_GUILD_NAME_LENGTH;
+    }
+
+    static boolean isValidGuildDescription(String description) {
+        return description != null && description.length() <= MAX_GUILD_DESCRIPTION_LENGTH;
+    }
+}
@@ -31,11 +31,11 @@ public class RequestGuildBuyEvent extends MessageHandler {
        final String name = Emulator.getGameEnvironment().getWordFilter().filter(this.packet.readString(), this.client.getHabbo());
        final String description = Emulator.getGameEnvironment().getWordFilter().filter(this.packet.readString(), this.client.getHabbo());

-        if (name.length() == 0 || name.length() > 29) {
+        if (!GuildInputLimits.isValidGuildName(name)) {
            this.client.sendResponse(new GuildEditFailComposer(GuildEditFailComposer.INVALID_GUILD_NAME));
            return;
        }
-        if (description.length() > 254) {
+        if (!GuildInputLimits.isValidGuildDescription(description)) {
            return;
        }

@@ -68,6 +68,11 @@ public class RequestGuildBuyEvent extends MessageHandler {
        int colorOne = this.packet.readInt();
        int colorTwo = this.packet.readInt();

+        if (!Emulator.getGameEnvironment().getGuildManager().symbolColor(colorOne) || !Emulator.getGameEnvironment().getGuildManager().backgroundColor(colorTwo)) {
+            this.client.sendResponse(new GuildEditFailComposer(GuildEditFailComposer.INVALID_GUILD_NAME));
+            return;
+        }
+
        int count = this.packet.readInt();

        String badge = GuildBadgeBuilder.readBadge(this.packet, count);
@@ -9,6 +9,10 @@ import com.eu.habbo.messages.incoming.MessageHandler;
 import com.eu.habbo.messages.outgoing.guilds.GuildMembersComposer;

 public class RequestGuildMembersEvent extends MessageHandler {
+    private static final int MAX_PAGE_ID = 1000;
+    private static final int MAX_QUERY_LENGTH = 32;
+    private static final int MAX_LEVEL_ID = 2;
+
    @Override
    public int getRatelimit() {
        return 500;
@@ -20,6 +24,9 @@ public class RequestGuildMembersEvent extends MessageHandler {
        int pageId = this.packet.readInt();
        String query = this.packet.readString();
        int levelId = this.packet.readInt();
+        if (pageId < 0 || pageId > MAX_PAGE_ID || levelId < 0 || levelId > MAX_LEVEL_ID || query == null || query.length() > MAX_QUERY_LENGTH) {
+            return;
+        }

        Guild g = Emulator.getGameEnvironment().getGuildManager().getGuild(groupId);

@@ -0,0 +1,59 @@
+package com.eu.habbo.messages.incoming.guilds;
+
+import org.junit.jupiter.api.Test;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class GuildManagementInputGuardContractTest {
+    private static String source(String file) throws Exception {
+        return Files.readString(Path.of("src/main/java/com/eu/habbo/messages/incoming/guilds/" + file));
+    }
+
+    @Test
+    void guildCreateAndRenameShareNameAndDescriptionBounds() throws Exception {
+        String limits = source("GuildInputLimits.java");
+        String buy = source("RequestGuildBuyEvent.java");
+        String rename = source("GuildChangeNameDescEvent.java");
+
+        assertTrue(limits.contains("MAX_GUILD_NAME_LENGTH = 29"),
+                "Guild names should keep the existing 29 character protocol bound");
+        assertTrue(limits.contains("MAX_GUILD_DESCRIPTION_LENGTH = 254"),
+                "Guild descriptions should keep the existing database/protocol bound");
+        assertTrue(limits.contains("!name.isBlank()"),
+                "Guild names must not be empty or whitespace-only");
+        assertTrue(buy.contains("GuildInputLimits.isValidGuildName(name)"),
+                "Guild purchase should use the shared name guard");
+        assertTrue(buy.contains("GuildInputLimits.isValidGuildDescription(description)"),
+                "Guild purchase should use the shared description guard");
+        assertTrue(rename.contains("GuildInputLimits.isValidGuildName(newName)"),
+                "Guild rename should reject invalid client names before plugin events");
+        assertTrue(rename.contains("GuildInputLimits.isValidGuildName(nameEvent.name)"),
+                "Guild rename should reject invalid plugin-mutated names before persistence");
+    }
+
+    @Test
+    void guildColorInputsAreCheckedAgainstLoadedPalette() throws Exception {
+        String buy = source("RequestGuildBuyEvent.java");
+        String colors = source("GuildChangeColorsEvent.java");
+
+        assertTrue(buy.contains("symbolColor(colorOne)") && buy.contains("backgroundColor(colorTwo)"),
+                "Guild purchase should reject color ids that are not in the loaded guild palette");
+        assertTrue(colors.contains("symbolColor(colorOne)") && colors.contains("backgroundColor(colorTwo)"),
+                "Guild color changes should reject invalid client color ids");
+        assertTrue(colors.contains("symbolColor(colorsEvent.colorOne)") && colors.contains("backgroundColor(colorsEvent.colorTwo)"),
+                "Guild color changes should reject invalid plugin-mutated color ids");
+    }
+
+    @Test
+    void guildStateInputsStayInsideKnownEnumRange() throws Exception {
+        String settings = source("GuildChangeSettingsEvent.java");
+
+        assertTrue(settings.contains("state < 0 || state >= GuildState.values().length"),
+                "Guild settings should reject invalid client state ids before event dispatch");
+        assertTrue(settings.contains("settingsEvent.state < 0 || settingsEvent.state >= GuildState.values().length"),
+                "Guild settings should reject invalid plugin-mutated state ids before applying them");
+    }
+}
@@ -0,0 +1,55 @@
+package com.eu.habbo.messages.incoming.guilds;
+
+import org.junit.jupiter.api.Test;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class GuildMembersInputGuardContractTest {
+    private static String eventSource() throws Exception {
+        return Files.readString(Path.of("src/main/java/com/eu/habbo/messages/incoming/guilds/RequestGuildMembersEvent.java"));
+    }
+
+    private static String managerSource() throws Exception {
+        return Files.readString(Path.of("src/main/java/com/eu/habbo/habbohotel/guilds/GuildManager.java"));
+    }
+
+    @Test
+    void guildMemberListInputsAreBoundedBeforeManagerQueries() throws Exception {
+        String source = eventSource();
+
+        int pageRead = source.indexOf("int pageId = this.packet.readInt()");
+        int queryRead = source.indexOf("String query = this.packet.readString()", pageRead);
+        int levelRead = source.indexOf("int levelId = this.packet.readInt()", queryRead);
+        int guard = source.indexOf("pageId < 0 || pageId > MAX_PAGE_ID", levelRead);
+        int managerCall = source.indexOf("getGuildMembers(g, pageId, levelId, query)", guard);
+
+        assertTrue(source.contains("MAX_PAGE_ID = 1000"),
+                "Guild member pagination should have a server-side upper bound");
+        assertTrue(source.contains("MAX_QUERY_LENGTH = 32"),
+                "Guild member search query should have a server-side length bound");
+        assertTrue(source.contains("MAX_LEVEL_ID = 2"),
+                "Guild member rank filter should be bounded to known levels");
+        assertTrue(pageRead > -1 && queryRead > pageRead && levelRead > queryRead,
+                "Guild member handler must read page/query/level from the packet");
+        assertTrue(guard > levelRead && guard < managerCall,
+                "Guild member handler must validate inputs before querying the manager");
+    }
+
+    @Test
+    void guildMemberCountEscapesLikeQuerySameAsListQuery() throws Exception {
+        String source = managerSource();
+
+        int listMethod = source.indexOf("public ArrayList<GuildMember> getGuildMembers(Guild guild, int page, int levelId, String query)");
+        int listEscape = source.indexOf("SqlLikeEscaper.escape(query)", listMethod);
+        int countMethod = source.indexOf("public int getGuildMembersCount(Guild guild, int page, int levelId, String query)");
+        int countEscape = source.indexOf("SqlLikeEscaper.escape(query)", countMethod);
+
+        assertTrue(listEscape > listMethod,
+                "Guild member list query should escape SQL LIKE wildcards");
+        assertTrue(countEscape > countMethod,
+                "Guild member count query should escape SQL LIKE wildcards too");
+    }
+}