Wire entities not checking permission before creating constraint lead to exploit with AdvDupe2
Opened this issue · 0 comments
Describe the bug
The Wire Socket and Wire Plug create a weld constraint between one another without checking WireLib.CanTool. This lets anyone create a plug and link it to another player's socket, allowing them to copy the entire build with AdvDupe2, despite the player not giving permission at all.
The Wire Grabber does check WireLib.CanTool but only for its owner and not the owner of the prop being grabbed. However, it still prevents duplication of the constrained entities since it overwrites the type of the constraint.
wire/lua/entities/gmod_wire_grabber.lua
Lines 106 to 109 in 53a70a2
To Reproduce
Steps to reproduce the behavior: Make sure both players do not have permission to touch each other's props
- Have Player1 place a Wire Socket on their own build
- Have Player2 spawn a Wire Plug and link it to the socket
- Have Player2 copy the plug with AdvDupe2
- The entire build belonging to Player1 should now be copied by Player2
Expected behavior
Both owners should need to give tool permission for the constraint to be created. Optionally the constraint type can be overwritten to prevent duplication of it and the other connected entities entirely.