Only allow http and https (#4457)

TarLaboratories · web-flow · commit 3dca9effbaf8 · 2026-01-15T21:21:32.000+03:00
diff --git a/src/main/java/com/gregtechceu/gtceu/api/misc/ImageCache.java b/src/main/java/com/gregtechceu/gtceu/api/misc/ImageCache.java
@@ -1,13 +1,15 @@
 package com.gregtechceu.gtceu.api.misc;
 
 import com.gregtechceu.gtceu.GTCEu;
+import com.gregtechceu.gtceu.config.ConfigHolder;
 
 import com.google.common.cache.CacheBuilder;
 import com.google.common.cache.CacheLoader;
 import com.google.common.cache.LoadingCache;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -18,26 +20,50 @@ public class ImageCache {
     public static final long REFRESH_SECS = 120;
     public static final long EXPIRE_SECS = 300;
     private static final byte[] NULL_MARKER = new byte[0];
+    private static final String[] ALLOWED_PROTOCOLS = new String[] { "http", "https" };
 
     private static boolean downloading = false;
 
     private static final LoadingCache<String, byte[]> CACHE = CacheBuilder.newBuilder()
             .refreshAfterWrite(REFRESH_SECS, TimeUnit.SECONDS)
             .expireAfterAccess(EXPIRE_SECS, TimeUnit.SECONDS)
             .concurrencyLevel(3)
-            .build(CacheLoader.from(url -> {
-                if (downloading) return NULL_MARKER;
-                downloading = true;
-
-                try (InputStream stream = new URL(url).openStream()) {
-                    return stream.readAllBytes();
-                } catch (IOException e) {
-                    GTCEu.LOGGER.error("Could not load image {}", url, e);
-                    downloading = false;
+            .build(CacheLoader.from(urlString -> {
+                try {
+                    URL url = new URL(urlString);
+                    boolean singleplayer = GTCEu.getMinecraftServer().isSingleplayer() &&
+                            !GTCEu.getMinecraftServer().isPublished();
+                    boolean allowedProtocol = singleplayer;
+                    for (String protocol : ALLOWED_PROTOCOLS) {
+                        if (url.getProtocol().equalsIgnoreCase(protocol)) {
+                            allowedProtocol = true;
+                            break;
+                        }
+                    }
+                    if (!allowedProtocol) return NULL_MARKER;
+                    boolean allowedDomain = singleplayer;
+                    for (String domain : ConfigHolder.INSTANCE.gameplay.allowedImageDomains) {
+                        if (url.getHost().equalsIgnoreCase(domain)) {
+                            allowedDomain = true;
+                            break;
+                        }
+                    }
+                    if (!allowedDomain) return NULL_MARKER;
+                    if (downloading) return NULL_MARKER;
+                    downloading = true;
+
+                    try (InputStream stream = url.openStream()) {
+                        byte[] image = stream.readAllBytes();
+                        GTCEu.LOGGER.debug("Downloaded image {}! Executing callback", url);
+                        return image;
+                    } catch (IOException e) {
+                        GTCEu.LOGGER.error("Could not load image {}", url, e);
+                        return NULL_MARKER;
+                    } finally {
+                        downloading = false;
+                    }
+                } catch (MalformedURLException e) {
                     return NULL_MARKER;
-                } finally {
-                    GTCEu.LOGGER.debug("Downloaded image {}! Executing callback", url);
-                    downloading = false;
                 }
             }));
 
diff --git a/src/main/java/com/gregtechceu/gtceu/common/machine/multiblock/electric/monitor/MonitorGroup.java b/src/main/java/com/gregtechceu/gtceu/common/machine/multiblock/electric/monitor/MonitorGroup.java
@@ -4,6 +4,9 @@
 import com.gregtechceu.gtceu.api.capability.ICoverable;
 import com.gregtechceu.gtceu.api.capability.IMonitorComponent;
 import com.gregtechceu.gtceu.api.cover.CoverBehavior;
+import com.gregtechceu.gtceu.api.item.IComponentItem;
+import com.gregtechceu.gtceu.api.item.component.IItemComponent;
+import com.gregtechceu.gtceu.api.item.component.IMonitorModuleItem;
 import com.gregtechceu.gtceu.api.transfer.item.CustomItemStackHandler;
 
 import net.minecraft.core.BlockPos;
@@ -43,13 +46,29 @@ public class MonitorGroup {
     @Getter
     private int dataSlot = 0;
 
+    public static boolean isModule(ItemStack stack) {
+        if (stack.getItem() instanceof IComponentItem componentItem) {
+            for (IItemComponent itemComponent : componentItem.getComponents()) {
+                if (itemComponent instanceof IMonitorModuleItem) return true;
+            }
+        }
+        return false;
+    }
+
+    public static CustomItemStackHandler createModuleHandler() {
+        CustomItemStackHandler customItemStackHandler = new CustomItemStackHandler(1);
+        customItemStackHandler.setFilter(MonitorGroup::isModule);
+        return customItemStackHandler;
+    }
+
     public MonitorGroup(String name) {
-        this(name, new CustomItemStackHandler(1), new CustomItemStackHandler(8));
+        this(name, createModuleHandler(), new CustomItemStackHandler(8));
     }
 
     public MonitorGroup(String name, CustomItemStackHandler handler, CustomItemStackHandler placeholderSlotsHandler) {
         this.name = name;
         this.itemStackHandler = handler;
+        this.itemStackHandler.setFilter(MonitorGroup::isModule);
         this.placeholderSlotsHandler = placeholderSlotsHandler;
     }
 
diff --git a/src/main/java/com/gregtechceu/gtceu/common/network/packets/SCPacketMonitorGroupNBTChange.java b/src/main/java/com/gregtechceu/gtceu/common/network/packets/SCPacketMonitorGroupNBTChange.java
@@ -12,6 +12,7 @@
 import net.minecraft.world.item.ItemStack;
 import net.minecraft.world.level.Level;
 import net.minecraftforge.common.util.LogicalSidedProvider;
+import net.minecraftforge.items.IItemHandlerModifiable;
 import net.minecraftforge.network.NetworkEvent;
 
 import java.util.Optional;
@@ -50,8 +51,11 @@ public void execute(NetworkEvent.Context context) {
 
         MetaMachine machine = MetaMachine.getMachine(level, pos);
         if (machine instanceof CentralMonitorMachine centralMonitor) {
-            centralMonitor.getMonitorGroups().get(monitorGroupId)
-                    .getItemStackHandler().setStackInSlot(0, stack);
+            IItemHandlerModifiable itemHandler = centralMonitor.getMonitorGroups().get(monitorGroupId)
+                    .getItemStackHandler();
+            if (ItemStack.isSameItem(itemHandler.getStackInSlot(0), stack)) {
+                itemHandler.setStackInSlot(0, stack);
+            }
         }
     }
 
diff --git a/src/main/java/com/gregtechceu/gtceu/config/ConfigHolder.java b/src/main/java/com/gregtechceu/gtceu/config/ConfigHolder.java
@@ -739,6 +739,10 @@ public static class GameplayConfigs {
         @Configurable.Comment({ "How much environmental hazards decay per chunk, per tick.",
                 "Default: 0.001" })
         public float environmentalHazardDecayRate = 0.001f;
+        @Configurable
+        @Configurable.Comment({ "List of domains that are allowed in the image module" })
+        public String[] allowedImageDomains = new String[] { "imgur.com", "discord.com", "github.com",
+                "raw.githubusercontent.com" };
     }
 
     public static class ClientConfigs {
