feat: LIKE-wildcard escaping (security) + recycle/craft reward rollback (stability)

Security / speed: - New util SqlLikeEscaper: escapes %, _ and \ in user search input. Applied to the user-facing LIKE searches (messenger user search, marketplace search, furni-editor search, housekeeping room search, guild member search) so a query like "%" can no longer match everything or trigger a needless full scan, and usernames containing "_" are matched literally. Stability (item-loss fixes): - RecycleEvent: compute the recycler reward BEFORE consuming the 8 inputs. The inputs were deleted from the DB first, so a null reward (misconfig) destroyed them permanently with nothing back. Now the inputs are only removed once the reward is confirmed. - CraftingCraftItemEvent: restore the pulled ingredients to the inventory if the recipe can't be completed (not enough ingredients mid-pull, or reward creation returns null) — previously they silently vanished from the inventory.
2026-06-19 15:06:19 +00:00 · 2026-06-09 15:50:19 +00:00
parent a0910d822c
commit f7556138aa
8 changed files with 63 additions and 16 deletions
@@ -171,8 +171,9 @@ public class MarketPlace {
                statement.setInt(paramIndex++, maxPrice);
            }
            if (!search.isEmpty()) {
-                statement.setString(paramIndex++, "%" + search + "%");
+                String likeSearch = "%" + com.eu.habbo.util.SqlLikeEscaper.escape(search) + "%";
-                statement.setString(paramIndex++, "%" + search + "%");
+                statement.setString(paramIndex++, likeSearch);
                statement.setString(paramIndex++, likeSearch);
            }
            try (ResultSet set = statement.executeQuery()) {
@@ -421,7 +421,7 @@ public class GuildManager {
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection(); PreparedStatement statement = connection.prepareStatement("SELECT users.username, users.look, guilds_members.* FROM guilds_members INNER JOIN users ON guilds_members.user_id = users.id WHERE guilds_members.guild_id = ?  " + (rankQuery(levelId)) + " AND users.username LIKE ? ORDER BY level_id, member_since ASC LIMIT ?, ?")) {
            statement.setInt(1, guild.getId());
-            statement.setString(2, "%" + query + "%");
+            statement.setString(2, "%" + com.eu.habbo.util.SqlLikeEscaper.escape(query) + "%");
            statement.setInt(3, page * 14);
            statement.setInt(4, 14);
@@ -53,7 +53,7 @@ public class Messenger {
    public static THashSet<MessengerBuddy> searchUsers(String username) {
        THashSet<MessengerBuddy> users = new THashSet<>();
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection(); PreparedStatement statement = connection.prepareStatement("SELECT * FROM users WHERE username LIKE ? ORDER BY username ASC LIMIT " + Emulator.getConfig().getInt("hotel.messenger.search.maxresults"))) {
-            statement.setString(1, username + "%");
+            statement.setString(1, com.eu.habbo.util.SqlLikeEscaper.escape(username) + "%");
            try (ResultSet set = statement.executeQuery()) {
                while (set.next()) {
                    users.add(new MessengerBuddy(set, false));
@@ -40,23 +40,26 @@ public class RecycleEvent extends MessageHandler {
                }
            }
-            if (items.size() == count) {
+            if (items.size() != count) {
                for (HabboItem item : items) {
                    this.client.getHabbo().getInventory().getItemsComponent().removeHabboItem(item);
                    this.client.sendResponse(new RemoveHabboItemComposer(item.getGiftAdjustedId()));
                    Emulator.getThreading().run(new QueryDeleteHabboItem(item.getId()));
                }
            } else {
                this.client.sendResponse(new AlertPurchaseFailedComposer(AlertPurchaseFailedComposer.SERVER_ERROR));
                return;
            }
            // Compute the reward BEFORE consuming the inputs. Previously the
            // inputs were deleted first, so a null reward (misconfiguration)
            // permanently destroyed the 8 furni with nothing in return.
            HabboItem reward = Emulator.getGameEnvironment().getItemManager().handleRecycle(this.client.getHabbo(), Emulator.getGameEnvironment().getCatalogManager().getRandomRecyclerPrize().getId() + "");
            if (reward == null) {
                this.client.sendResponse(new AlertPurchaseFailedComposer(AlertPurchaseFailedComposer.SERVER_ERROR));
                return;
            }
            for (HabboItem item : items) {
                this.client.getHabbo().getInventory().getItemsComponent().removeHabboItem(item);
                this.client.sendResponse(new RemoveHabboItemComposer(item.getGiftAdjustedId()));
                Emulator.getThreading().run(new QueryDeleteHabboItem(item.getId()));
            }
            this.client.sendResponse(new AddHabboItemComposer(reward));
            this.client.getHabbo().getInventory().getItemsComponent().addItem(reward);
            this.client.sendResponse(new RecyclerCompleteComposer(RecyclerCompleteComposer.RECYCLING_COMPLETE));
@@ -37,6 +37,8 @@ public class CraftingCraftItemEvent extends MessageHandler {
                    HabboItem habboItem = this.client.getHabbo().getInventory().getItemsComponent().getAndRemoveHabboItem(set.getKey());
                    if (habboItem == null) {
                        // Not enough ingredients — give back whatever we already pulled.
                        this.restoreItems(toRemove);
                        return;
                    }
@@ -70,8 +72,23 @@ public class CraftingCraftItemEvent extends MessageHandler {
                return;
            }
            // Reward creation failed after we already pulled the ingredients —
            // restore them so the craft isn't a silent item sink.
            this.restoreItems(toRemove);
        }
        this.client.sendResponse(new CraftingResultComposer(null));
    }
    private void restoreItems(TIntObjectHashMap<HabboItem> items) {
        if (items.isEmpty()) {
            return;
        }
        items.forEachValue(item -> {
            this.client.getHabbo().getInventory().getItemsComponent().addItem(item);
            this.client.sendResponse(new AddHabboItemComposer(item));
            return true;
        });
        this.client.sendResponse(new InventoryRefreshComposer());
    }
 }
@@ -49,15 +49,17 @@ public class FurniEditorSearchEvent extends MessageHandler {
            try {
                int numericQuery = Integer.parseInt(query);
                isNumeric = true;
                String likeQuery = "%" + com.eu.habbo.util.SqlLikeEscaper.escape(query) + "%";
                whereClause.append(" AND (id = ? OR sprite_id = ? OR item_name LIKE ? OR public_name LIKE ?)");
                params.add(numericQuery);
                params.add(numericQuery);
-                params.add("%" + query + "%");
+                params.add(likeQuery);
-                params.add("%" + query + "%");
+                params.add(likeQuery);
            } catch (NumberFormatException e) {
                String likeQuery = "%" + com.eu.habbo.util.SqlLikeEscaper.escape(query) + "%";
                whereClause.append(" AND (item_name LIKE ? OR public_name LIKE ?)");
-                params.add("%" + query + "%");
+                params.add(likeQuery);
-                params.add("%" + query + "%");
+                params.add(likeQuery);
            }
        }
@@ -56,7 +56,7 @@ public class HousekeepingSearchRoomsEvent extends MessageHandler {
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement(sql)) {
-            statement.setString(1, exactMatch ? query : query + "%");
+            statement.setString(1, exactMatch ? query : com.eu.habbo.util.SqlLikeEscaper.escape(query) + "%");
            statement.setInt(2, limit);
            try (ResultSet set = statement.executeQuery()) {
@@ -0,0 +1,24 @@
 package com.eu.habbo.util;
 /**
 * Escapes the LIKE wildcards {@code %} and {@code _} (and the escape char itself)
 * in user-supplied search input, so they are matched literally instead of acting
 * as wildcards. Prevents wildcard-driven over-broad matches and the expensive
 * full-scans an attacker could trigger with a query like {@code "%"}. Uses
 * MariaDB's default escape character {@code \}.
 */
 public final class SqlLikeEscaper {
    private SqlLikeEscaper() {
    }
    public static String escape(String input) {
        if (input == null) {
            return "";
        }
        return input
                .replace("\\", "\\\\")
                .replace("%", "\\%")
                .replace("_", "\\_");
    }
 }