Giters

Senither / Hypixel-Skyblock-Assistant

A Discord bot built for the Hypixel network, allowing Discord servers to sync their guild ranks with server ranks, get stats and leaderboard information from the Skyblock gamemode.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

equalsIgnoreCase allows players to verify as any UUID in VerifyCommand

Antonio32A opened this issue · comments

commented

At permalink listed below, the code checks if the player's Discord tag is equal to the one which is returned by the Hypixel API, but it uses equalsIgnoreCase instead of just equals. Discord does not have this check so User#0001 and USer#0001 are 2 different accounts, not one.

This means that if somebody was to change their Discord tag to the guild's guildmaster tag it would allow them to verify as the guildmaster and then they would be able to execute admin commands.
This should be fixed by just changing equalsIgnoreCase to equals.

Example:
image

Hypixel-Skyblock-Assistant/app/src/main/java/com/senither/hypixel/commands/general/VerifyCommand.java

Line 161 in 18b6d27

if (!player.getAsJsonObject("socialMedia").getAsJsonObject("links").get("DISCORD").getAsString().equalsIgnoreCase(event.getAuthor().getAsTag())) {

commented

You seem to have fixed this in 925a2ce, closing.