Translation keys can still be read #5864
Description
Describe the bug
I'm the maintainer from https://github.com/NikOverflow/ExploitPreventer
A fabric mod that fixes client side exploits like resource pack local http request stuff, fingerprinting and translation key reading.
Someone reported yesterday an issue that translation keys can still be read and I fixed that issue. Now I tested this client and it is possible too.
In text components we have something that is the with tag. This is for placeholder stuff. For example if I have the following text component: {"translate": "someKey", "with": ["test"]} Now lets say the key exists and in the translation is a %s then the %s will be replaced to test. Now the issue is that with can be a whole text component like that: {"translate": "someKey", "with": [{"translate": "someOtherKey"]} Now it will replace %s with the translation key. The with thing can be recursive so you can have nested withs in it. Of course you also can use keybind and not only translate. The %s cannot only be used in the language file itself. It can also be used in "translate" and "fallback".
Now of course you can fix this whole issue and it is done but I do not recommend it. I would recommend that you just include my mod because then you have not to maintain that part. I'm leading a research group that searches issues like this and try to fix it.
Steps to reproduce
- Join on a server with a plugin that can get the sign translation the client is sending to the server
- use this command to create the sign: /setblock ~ ~ ~ oak_sign{front_text:{messages:[{"translate":"%s", "with": [{"translate": "key.category.meteor-client.meteor-client"}]},"","", ""]}} replace
- Test if it leaks the meteor client translation value.
Meteor Version
1.21.10-33
Minecraft Version
1.21.10
Operating System
Linux
Before submitting a bug report
-
This bug wasn't already reported (I have searched bug reports on GitHub).
-
This is a valid bug (I am able to reproduce this on the latest dev build).